From ae8dc5842c5861f0f6cbc41a8424ccf0bdf7e557 Mon Sep 17 00:00:00 2001 From: Alberto Ortega Date: Fri, 13 Mar 2015 13:34:59 +0100 Subject: [PATCH] Add generic sandbox / dbg detection using rdtsc instruction --- pafish/gensandbox.c | 9 +++++++++ pafish/gensandbox.h | 2 ++ pafish/main.c | 8 ++++++++ 3 files changed, 19 insertions(+) diff --git a/pafish/gensandbox.c b/pafish/gensandbox.c index 24a2682..95b8ea6 100644 --- a/pafish/gensandbox.c +++ b/pafish/gensandbox.c @@ -2,6 +2,7 @@ #include #include #include +#include #include "types.h" #include "gensandbox.h" @@ -102,3 +103,11 @@ int gensandbox_sleep_patched() { if ((GetTickCount() - time1) > 450 ) return FALSE; else return TRUE; } + +int gensandbox_rdtsc() { + uint64_t ret, ret2; + asm volatile ( "rdtsc" : "=A"(ret) ); + asm volatile ( "rdtsc" : "=A"(ret2) ); + return (ret2 - ret) > 1000 ? TRUE : FALSE; +} + diff --git a/pafish/gensandbox.h b/pafish/gensandbox.h index 80a36a7..ac024bc 100644 --- a/pafish/gensandbox.h +++ b/pafish/gensandbox.h @@ -14,4 +14,6 @@ int gensandbox_drive_size2(); int gensandbox_sleep_patched(); +int gensandbox_rdtsc(); + #endif diff --git a/pafish/main.c b/pafish/main.c index 425b66f..fe452a8 100644 --- a/pafish/main.c +++ b/pafish/main.c @@ -125,6 +125,14 @@ int main(int argc, char *argv[]) } else print_not_traced(); + printf("[*] Checking the difference between CPU timestamp counters (rdtsc) ... "); + if (gensandbox_rdtsc() == TRUE) { + print_traced(); + write_log("Sandbox traced by checking the difference between CPU timestamp counters (rdtsc)"); + write_trace("hi_sandbox_rdtsc"); + } + else print_not_traced(); + /* Hooks detection tricks */ printf("\n[-] Hooks detection\n"); printf("[*] Checking function DeleteFileW method 1 ... ");