{"id":3105,"date":"2015-06-24T16:14:41","date_gmt":"2015-06-24T16:14:41","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=3105"},"modified":"2015-06-24T16:17:45","modified_gmt":"2015-06-24T16:17:45","slug":"using-lastsystemriteventtickcount-as-a-lame-antisandbox-trick","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2015\/06\/24\/using-lastsystemriteventtickcount-as-a-lame-antisandbox-trick\/","title":{"rendered":"Using LastSystemRITEventTickCount as a (lame) antisandbox trick"},"content":{"rendered":"

LastSystemRITEventTickCount is a member of a _KUSER_SHARED_DATA<\/a> structure. If you google for this particular field’s description you will eventually find sth along these lines:<\/p>\n

Time in tick count for system-wide last user input across all terminal sessions. For MP performance, it is not updated all the time (e.g. once a minute per session). It is used for idle detection.<\/em><\/p>\n

Since the user input is quite important from the sandbox perspective detecting changes (or lack of) of this particular field can act as a trivial (a.k.a. lame) anti-sandboxing trick.<\/p>\n

Consider a simple routine like this:<\/p>\n

\u00a0\u00a0 mov edx,ds:[7FFE02E4h] ; get LastSystemRITEventTickCount\u00a0\r\n\u00a0\u00a0 back:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 pushad\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 invoke Sleep,70 ; sleep for some time\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 popad\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 mov eax,ds:[7FFE02E4h] ; get new value of LastSystemRITEventTickCount\u00a0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 sub eax,edx\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 jz\u00a0 back\r\n\u00a0\u00a0 ...\r\n<\/pre>\n
When ran, it waits for some user input (keyboard, mouse events) and only exits when these happen (sometimes more than one event is needed; this is probably caused by the update intervals).<\/p>\n
\"LastSystemRITEventTickCount\"<\/a><\/p>\n
Trivia fact: the very same value check is at the core of a function BeginIdleDetection<\/a>.<\/p>\n
An example demo program can be found here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"
LastSystemRITEventTickCount is a member of a _KUSER_SHARED_DATA structure. If you google for this particular field’s description you will eventually find sth along these lines: Time in tick count for system-wide last user input across all terminal sessions. For MP performance, … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[43,9,41],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3105"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=3105"}],"version-history":[{"count":3,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3105\/revisions"}],"predecessor-version":[{"id":3110,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3105\/revisions\/3110"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=3105"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=3105"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=3105"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}