2017-05-30 05:01 CEST

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0000409Cheat Engine(No Category)public2015-10-01 19:43
Reporterpausebreak7 
Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
StatusnewResolutionopen 
PlatformwindowsOS7 x64OS Version
Summary0000409: DarkByte VMPROTECT DBVM Detect VM EXIT?
DescriptionI've recently found more relevant data

Open Source Code

https://github.com/a0rtega/pafish

https://github.com/a0rtega/pafish/archive/v0.5.4.zip

pafish Code Check the difference between Cpu timestamp counters rdtsc

forcing VM Exit Code Detect

Steps To ReproduceDBVM LOAD -> VM_EXIT RDTSC TIMESTAMP DETECT

DBVM NOT LOAD ->VM_EXIT RDTSC TIMESTAMP NOT DETECT

vmprotect also detect vm_exit?

vmprotect detection logic even vm_exit might have been detected

Is it possible to bypass the detection if right?
Additional Informationdetect.png upload

TagsNo tags attached.
Attached Files

-Relationships
+Relationships

-Notes

~0000875

pausebreak7 (reporter)

cpu.c code line

static inline unsigned long long rdtsc_diff_vmexit() {
    unsigned long long ret, ret2;
    unsigned eax, edx;
    __asm__ volatile("rdtsc" : "=a" (eax), "=d" (edx));
    ret = ((unsigned long long)eax) | (((unsigned long long)edx) << 32);
    /* vm exit forced here. it uses: eax = 0; cpuid; */
    __asm__ volatile("cpuid" : /* no output */ : "a"(0x00));
    /**/
    __asm__ volatile("rdtsc" : "=a" (eax), "=d" (edx));
    ret2 = ((unsigned long long)eax) | (((unsigned long long)edx) << 32);
    return ret2 - ret;
}

------------------------------------------------------------------

int cpu_rdtsc_force_vmexit() {
    int i;
    unsigned long long avg = 0;
    for (i = 0; i < 10; i++) {
        avg = avg + rdtsc_diff_vmexit();
        Sleep(500);
    }
    avg = avg / 10;
    return (avg < 1000 && avg > 0) ? FALSE : TRUE;
}

------------------------------------------------------------------
static inline int cpuid_hv_bit() {
    int ecx;
    __asm__ volatile("cpuid" \
            : "=c"(ecx) \
            : "a"(0x01));
    return (ecx >> 31) & 0x1;
}

How do you think the code can bypass the vm_exit?

~0000876

pausebreak7 (reporter)

cpuid detect add information

https://www.virtualbox.org/ticket/10947

https://www.virtualbox.org/raw-attachment/ticket/10947/Test%20Examples.rar

cpuid.exe
dbvm load -> Flag Value is wrong! //detect
dbvm not load ->flag value is right! //not detect
rdtsc.exe
dbvm load -> flag value is right! //not detect
dbvm not load -> flag value is right! //not detect

cpuid detect code

---------------------------------------
      .586
      .model flat, stdcall
      option casemap :none ; case sensitive
      
      include windows.inc
      include kernel32.inc
      include user32.inc
      includelib kernel32.lib
      includelib user32.lib
     
.data
Flag dd 0
szRight db 'Flag Value is right!',0
szWrong db 'Flag Value is wrong!',0
szInfo db 'Info:'

.code
start:
    assume fs: nothing
    call @MyCode
    mov ecx, dword ptr [esp+0Ch]
    mov ecx, dword ptr [ecx+0B8h] ;;Ecx = Seh.eip
    .if ecx == offset @WrongExceptionEip
        mov Flag,0
    .else
        mov Flag,1
    .endif
    xor eax, eax
    retn
    @MyCode:
    push dword ptr fs:[0]
    mov dword ptr fs:[0], esp
    push 397h ;;Set Eflags.
    popfd
    cpuid
    @RightExceptionEip: ;;Normally,Seh.eip should be pointed here
    nop
    @WrongExceptionEip: ;;In Guest system,('With' VT-X/AMD-V),Seh.eip is pointed here.But 'Without' VT-X/AMD-V,Seh.eip is right.
                    ;;It's different than 'Rdtsc',This problem only appear in the VT-X/AMD-V
    .if Flag == 1
        invoke MessageBoxA,0,offset szRight,offset szInfo,MB_OK
    .else
        invoke MessageBoxA,0,offset szWrong,offset szInfo,MB_OK
    .endif
    invoke ExitProcess,0
end start
+Notes

-Issue History
Date Modified Username Field Change
2015-10-01 18:52 pausebreak7 New Issue
2015-10-01 18:52 pausebreak7 File Added: detect.png
2015-10-01 19:05 pausebreak7 Note Added: 0000875
2015-10-01 19:43 pausebreak7 Note Added: 0000876
2016-02-29 11:30 Carter Greatshow Issue cloned: 0000444
+Issue History