Add generic sandbox / dbg detection using rdtsc instruction

pafish/gensandbox.c

@@ -2,6 +2,7 @@
 #include <windows.h>
 #include <winioctl.h>
 #include <string.h>
+#include <stdint.h>
 
 #include "types.h"
 #include "gensandbox.h"
@@ -102,3 +103,11 @@ int gensandbox_sleep_patched() {
 	if ((GetTickCount() - time1) > 450 ) return FALSE;
 	else return TRUE;
 }
+
+int gensandbox_rdtsc() {
+	uint64_t ret, ret2;
+	asm volatile ( "rdtsc" : "=A"(ret) );
+	asm volatile ( "rdtsc" : "=A"(ret2) );
+	return (ret2 - ret) > 1000 ? TRUE : FALSE;
+}
+

pafish/gensandbox.h

@@ -14,4 +14,6 @@ int gensandbox_drive_size2();
 
 int gensandbox_sleep_patched();
 
+int gensandbox_rdtsc();
+
 #endif

pafish/main.c

@@ -125,6 +125,14 @@ int main(int argc, char *argv[])
 	}
 	else print_not_traced();
 
+	printf("[*] Checking the difference between CPU timestamp counters (rdtsc) ... ");
+	if (gensandbox_rdtsc() == TRUE) {
+		print_traced();
+		write_log("Sandbox traced by checking the difference between CPU timestamp counters (rdtsc)");
+		write_trace("hi_sandbox_rdtsc");
+	}
+	else print_not_traced();
+
 	/* Hooks detection tricks */
 	printf("\n[-] Hooks detection\n");
 	printf("[*] Checking function DeleteFileW method 1 ... ");