Debugger Detected


It is a will show as it will be possible to find debugger that is to increase 
a  level of protection  of your virus. In  this article displays some method, 
which were found in the popular programs for PC.


Debug_Installed
~~~~~~~~~~~~~~~

This trickz working only in ring0. It is a method to me reminds Win32 api 
function IsDebuggerPresent and does(makes) too most only for ring0...

   VMMCall Test_Debug_Installed
   je      not_installed_debugger


SoftIce installed
~~~~~~~~~~~~~~~~~

It is a method checks is established on machine (computer) of the user 
SoftIce.. Not a real method of detection. This method works under Win32 
(NT/2k/9x).

   HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE

It is possible as to use other keys for search SoftIce in the regedit.

BoundsChecker
~~~~~~~~~~~~

It seeks the signature of BoundsChecker in SoftICE.

    mov  ebp, 04243484Bh        ; 'BCHK'
    mov  ax, 04h
    int  3
    cmp  al,4
    jnz  SoftICE_Detected

int41h/4fh
~~~~~~~~~~

This trick is similar to int41h/4fh Debugger installation check, it uses the 
VxDCall backdoor. This method works only under Win9x.

   push  0000004fh         ; function 4fh
   push  002a002ah         ; high word specifies which VxD (VWIN32)
                           ; low word specifies which service
                             (VWIN32_Int41Dispatch)
   call  Kernel32!ORD_001  ; VxdCall
   cmp   ax, 0f386h        ; magic number returned by system debuggers
   jz    SoftICE_detected



SoftICE detection via UnhandledExceptionFilter Api
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The simple method which uses win32 api "UnhandledExceptionFilter" for 
detection SoftIce. 

cmp byte ptr [kernel32!UnhandledExceptionFilter], int3



ULTRAS [MATRiX]