The rdtsc (Read Time-Stamp Counter) instruction is used to determine how many CPU ticks took place since the processor was reset. It is commonly used as a timing defense (anti-debugging technique). This is assembler that demonstrates this functionality.
9bfdca451768b6da9c782a6982027fffa643051d6ce5acb5bcfddea28faba675;Timekeeping in VMware Virtual Machines
;Description
;The rdtsc (Read Time-Stamp Counter) instruction is used to determine how many CPU ticks took place since the processor was reset.
;It is commonly used as a timing defense (anti-debugging technique).
;Coded By B3mB4m
;Concat : b3mb4m@tuta.io
extern printf
section .text
global main
main:
mov ebx,0x0A
loop:
push ebp ;Set stack frame
mov ebp,esp
xor edi,edi
xor ecx,ecx
rdtsc
add edi,eax
rdtsc
sub eax,edi
push eax
add [total],eax
push dword printformat
call printf
add esp, 8
mov esp, ebp
pop ebp
dec ebx
jnz loop
jz average
average:
xor eax,eax
xor edx,edx
mov eax,[total]
mov ecx,0x0A
div ecx
;Divinded : EDX:EAX
;Quotient : EAX
;Remainder : EDX
push eax
push dword printformat2
call printf
cmp eax,0xc8
jg vm
jl notvm
vm:
xor ebx,ebx
push ebx
push vmdetect
call printf
jmp exit
notvm:
xor ebx,ebx
push ebx
push vmnotpresent
call printf
jmp exit
exit:
xor eax,eax
inc al
int 0x80
section .data
vmdetect: db "VM Detected", 10, 0
vmnotpresent db "VM not present", 10, 0
printformat: db "RDTSC difference : %d", 10, 0
printformat2: db "RDTSC average : %d ", 10, 0
total: dd 0
;nasm -f elf testvm.asm
;gcc -m32 -o testvm testvm.o
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed