{"id":2399,"date":"2014-06-15T10:31:52","date_gmt":"2014-06-15T10:31:52","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=2399"},"modified":"2014-06-15T10:31:52","modified_gmt":"2014-06-15T10:31:52","slug":"rdtscp-a-recooked-antire-trick","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2014\/06\/15\/rdtscp-a-recooked-antire-trick\/","title":{"rendered":"RDTSCP &#8211; a recooked AntiRe trick"},"content":{"rendered":"<p>RDTSC is an instruction used to read a processor&#8217;s time stamp counter. Reading it twice allows to calculate a delta between the values of the time stamp counter and if the obtained delta is significantly large, use it as a detection of a debugger, emulator, or a virtual environment.<\/p>\n<pre>\u00a0\u00a0 rdtsc\r\n\u00a0\u00a0 mov\u00a0 ebx,eax\r\n\u00a0\u00a0 rdtsc\r\n\u00a0\u00a0 sub\u00a0 eax,ebx\r\n\u00a0\u00a0 cmp\u00a0 eax,DELTA\r\n\u00a0\u00a0 jb\u00a0\u00a0 ok\r\n\u00a0\u00a0 ...\r\n\u00a0\u00a0 suspicious environment detected\r\n\u00a0\u00a0 ...\r\nok:<\/pre>\n<p>It&#8217;s a really old anti-reversing trick (and it has many variants) which can be recognized\/instrumented\/bypassed by making RDTSC a privileged instruction (e.g. using a Phantom plugin for OllyDbg), or simply by patching the code.<\/p>\n<p>Newer processors support a new instruction called RDTSCP that does exactly the same thing as RDTSC, except it is doing it in a serializing way (which means it waits for all instructions to execute before reading the counter and the possible re-ordering of instruction execution won&#8217;t happen). It can be used to calculate the time stamp counter delta the same way as RDTSC and as a result detect the fact of program being debugged, emulated, or ran inside a virtual environment.<\/p>\n<p>This is nothing groundbreaking (read: it&#8217;s kinda lame), but since it could be used as a &#8216;yet another anti-&#8216; trick it is still worth documenting.<\/p>\n<pre>\u00a0\u00a0 rdtscp\r\n\u00a0\u00a0 mov\u00a0 ebx,eax\r\n\u00a0\u00a0 rdtscp\r\n\u00a0\u00a0 sub\u00a0 eax,ebx\r\n\u00a0\u00a0 cmp\u00a0 eax,DELTA\r\n\u00a0\u00a0 jb\u00a0\u00a0 ok\r\n\u00a0\u00a0 ...\r\n\u00a0\u00a0 suspicious environment detected\r\n\u00a0\u00a0 ...\r\nok:<\/pre>\n<p>The opcode for RDTSCP is <strong>0F 01 F9<\/strong> so you can embed it inline if your assembler doesn&#8217;t support it.<\/p>\n<p>OllyDbg 1.x recognizes RDTSCP as:<\/p>\n<ul>\n<li>\n<pre>0F01F9 INVLPG\u00a0 CL<\/pre>\n<\/li>\n<\/ul>\n<p>The OllyDbg 2.x recognizes it correctly as<\/p>\n<ul>\n<li>\n<pre>0F01F9 rdtscp<\/pre>\n<\/li>\n<\/ul>\n<p>RDTSCP is not recognized by Virtual PC 2007 and older hardware. One can use a cpuid to determine support for this instruction, or simply attempt running it and catch the STATUS_ILLEGAL_INSTRUCTION exception if the instruction is invalid.<\/p>\n<p>One thing to note: RDTSC(P) delta trick doesn&#8217;t detect virtual environments very well &#8211; running samples &#8216;live&#8217; inside VMWare easily fools malware that they run on the &#8216;real&#8217; computer (unless they use other vm detection tricks, or the delta is really small &#8211; kinda silly idea since it would prevent running the malware on slower systems). As mentioned above, if used in debugging\/tracing context RDTSC(P) can be quite successful.\u00a0It would be interesting to find out how it performs under various emulators, but I don&#8217;t use them so I could not test it.<\/p>\n<p>Results of running under VM are below:<\/p>\n<ul>\n<li>Host (Windows 7SP1 x64):\n<ul>\n<li>rdtscp delta=27, rdtsc delta=21<\/li>\n<li>rdtscp delta=56, rdtsc delta=18<\/li>\n<li>rdtscp delta=27, rdtsc delta=140<\/li>\n<li>rdtscp delta=56, rdtsc delta=18<\/li>\n<\/ul>\n<ul>\n<li>rdtscp delta=76, rdtsc delta=60<\/li>\n<li>rdtscp delta=27, rdtsc delta=29<\/li>\n<li>rdtscp delta=38, rdtsc delta=21<\/li>\n<\/ul>\n<\/li>\n<li>VMWare Workstation 10.0.2, guest OS: Windows XP SP3 32:\n<ul>\n<li>rdtscp delta=241, rdtsc delta=325<\/li>\n<li>rdtscp delta=241, rdtsc delta=399<\/li>\n<li>rdtscp delta=236, rdtsc delta=331<\/li>\n<li>rdtscp delta=236, rdtsc delta=405<\/li>\n<li>rdtscp delta=265, rdtsc delta=304<\/li>\n<li>rdtscp delta=265, rdtsc delta=349<\/li>\n<li>rdtscp delta=265, rdtsc delta=340<\/li>\n<\/ul>\n<\/li>\n<li>VMWare Workstation 10.0.2, guest OS: Windows 7 SP1 32:\n<ul>\n<li>rdtscp delta=56, rdtsc delta=18<\/li>\n<li>rdtscp delta=27, rdtsc delta=21<\/li>\n<li>rdtscp delta=56, rdtsc delta=18<\/li>\n<li>rdtscp delta=27, rdtsc delta=21<\/li>\n<li>rdtscp delta=56, rdtsc delta=18<\/li>\n<li>rdtscp delta=27, rdtsc delta=18<\/li>\n<li>rdtscp delta=56, rdtsc delta=21<\/li>\n<\/ul>\n<\/li>\n<li>VMWare Workstation 10.0.2, guest OS: Windows 7 SP1 64:\n<ul>\n<li>rdtscp delta=27, rdtsc delta=21<\/li>\n<li>rdtscp delta=56, rdtsc delta=18<\/li>\n<li>rdtscp delta=27, rdtsc delta=47<\/li>\n<li>rdtscp delta=27, rdtsc delta=18<\/li>\n<li>rdtscp delta=56, rdtsc delta=18<\/li>\n<li>rdtscp delta=56, rdtsc delta=18<\/li>\n<li>rdtscp delta=27, rdtsc delta=21<\/li>\n<\/ul>\n<\/li>\n<li>Virtual Box 4.3.10, guest OS: Windows XP SP3 32:\n<ul>\n<li>rdtscp delta=64, rdtsc delta=64<\/li>\n<li>rdtscp delta=27, rdtsc delta=47<\/li>\n<li>rdtscp delta=27, rdtsc delta=18<\/li>\n<li>rdtscp delta=27, rdtsc delta=18<\/li>\n<li>rdtscp delta=56, rdtsc delta=21<\/li>\n<li>rdtscp delta=27, rdtsc delta=21<\/li>\n<li>rdtscp delta=27, rdtsc delta=50<\/li>\n<li>rdtscp delta=27, rdtsc delta=47<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>You can download the test program <a href=\"https:\/\/www.hexacorn.com\/examples\/RDTSCP.exe\">here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>RDTSC is an instruction used to read a processor&#8217;s time stamp counter. Reading it twice allows to calculate a delta between the values of the time stamp counter and if the obtained delta is significantly large, use it as a &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2014\/06\/15\/rdtscp-a-recooked-antire-trick\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/2399"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=2399"}],"version-history":[{"count":5,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/2399\/revisions"}],"predecessor-version":[{"id":2404,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/2399\/revisions\/2404"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=2399"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=2399"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=2399"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}