Index
> Tutorials and Examples > AOXXXGoto page Previous 1, 2, 3, 4 |
| Author |
|
|
Mat-Quasar 25 Apr 2025, 14:12
Noted with thanks, macomics and revolution, I always learn something new on this message board.
The link of Solution #9 Flare-On 2021 has changed again, because now Mandiant is part of Google, the new link for the PDF is: https://services.google.com/fh/files/misc/challenge-9-evil-en.pdf In Page 6 of the said PDF, there is mention of IsTooSlow anti-debugging technique (see screenshot, or click the link above for softcopy) Other anti-debugging technique mentioned are: Quote: • IsDebuggerPresent
|
||||||||||||||||||||
25 Apr 2025, 14:12 |
|
|||||||||||||||||||
|
revolution 25 Apr 2025, 14:18
"anything over two seconds constitutes ..." any type of delay, which could be a debugger, or any of a multitude of reasons that an application isn't given a time slice to run.
|
|||
|
25 Apr 2025, 14:18 |
|
|
revolution 25 Apr 2025, 14:21
Code: invoke GetTickCount mov ebx,eax invoke GetTickCount sub eax,ebx ; what is the maximum possible value here? Is it always zero? One? Can it be infinity? |
|||
|
25 Apr 2025, 14:21 |
|
|
Mat-Quasar 25 Apr 2025, 14:56
revolution wrote:
revolution you are viewing it from the perspective of an author of operating system, but malware actor / author views are more limited, I guess.  |
|||
|
25 Apr 2025, 14:56 |
|
|
macomics 25 Apr 2025, 15:22
Mat-Quasar wrote: revolution you are viewing it from the perspective of an author of operating system, but malware actor / author views are more limited, I guess. Just "from the perspective of an author of operating system" more limited than "malware actor / author views". The former solve issues on a general level without paying attention to specific implementations and workarounds. The latter are just looking for vulnerabilities in the code of the former and are building more sophisticated solutions. But even in the example Code: invoke GetTickCount mov ebx,eax invoke GetTickCount sub eax,ebx ; what is the maximum possible value here? Is it always zero? One? Can it be infinity? 1) The code is executed without interruption and will be 0 in eax. 2) There was an interruption between two calls to the GetTickCount function to increment the counter of this function, and eax will be 1. But there are no guarantees within the framework of the user program code that the code will regain control after an interruption. Anything can happen, which is why the interrupt will not resume the program immediately and the eax value will be greater than 1 (but, as a rule, no more than 10 due to the system timer resolution settings). Although even this is not guaranteed. Let's say that after the interruption, the reboot command started and all processes began to be destroyed. Your process may not be the first to be resumed. However the system will try to resume your process as soon as possible so that it finishes the interrupted handler and reaches the message processing cycle. There will already be a message waiting with a question about restarting the computer. This way the program can prevent a reboot. |
|||
|
25 Apr 2025, 15:22 |
|
|
Mat-Quasar 25 Apr 2025, 15:48
I run an experiment, and you're right, macomics that the scenario #1 is 0, even if it is in milliseconds.
Modern CPU is fast enough. I hope nothing wrong in my experimental code below: Code: format PE console entry start include 'win32a.inc' section '.data' data readable writable buf rb 10 db 0 fmt db '%d' len dd ? dummy dd ? section '.code' code readable executable start: call [GetTickCount] mov ebx, eax call [GetTickCount] sub eax, ebx push eax push fmt push buf call [wsprintf] add esp, 12 mov dword [len], eax push -11 call [GetStdHandle] push 0 push dummy push dword [len] push buf push eax call [WriteConsole] push 0 call [ExitProcess] section '.idata' import readable writable library kernel32, 'KERNEL32.DLL',\ user32, 'USER32.DLL' import kernel32,\ GetStdHandle, 'GetStdHandle', \ WriteConsole, 'WriteConsoleA', \ GetTickCount, 'GetTickCount', \ ExitProcess,'ExitProcess' import user32,\ wsprintf, 'wsprintfA' |
|||
|
25 Apr 2025, 15:48 |
|
|
Mat-Quasar 25 Apr 2025, 16:24
Mat-Quasar wrote: Modern CPU is fast enough. From my web search: Quote:
I don't know how many instructions are there in GetTickCount Win32 API, but certainly not many, since it took less than 1 ms to execute. My CPU is 1.7GHz, so can process 1.7 billion instructions per second! |
|||
|
25 Apr 2025, 16:24 |
|
|
macomics 25 Apr 2025, 17:31
1.7 billion cycle <> instructions. Even nop.
Try Code: invoke QueryPerformanceFrequency, addr [freq] invoke QueryPerformanceCounter, addr [start] mov ecx, 1700000000 @@: loop @b ; 1 instruction in a loop invoke QueryPerformanceCounter, addr [ends] mov rax, [ends] sub rax, [start] cqo div [freq] |
|||
|
25 Apr 2025, 17:31 |
|
|
macomics 25 Apr 2025, 19:18
The full code is based on your previous testing program via GetTickCount.
Code: format PE console entry start include 'win32a.inc' section '.data' data readable writable buf rb 100 db 0 fmt db '%d', 0 len dd ? dummy dd ? freq dq ? start_tick dq ? ends_tick dq ? section '.code' code readable executable start: mov ecx, 100000000 ; Heat loop @@: loop @b push freq call [QueryPerformanceFrequency] push start_tick call [QueryPerformanceCounter] mov ecx, 1700000000 ; your CPU frequency (cycles) ; mov ecx, dword [freq] @@: loop @b push ends_tick call [QueryPerformanceCounter] mov eax, dword [ends_tick + 0] mov edx, dword [ends_tick + 4] sub eax, dword [start_tick + 0] sbb edx, dword [start_tick + 4] jnz @f ; mov ecx, 1000 ; more precise (up to one thousandth) ; mul ecx div dword [freq] @@: push eax push fmt push buf call [wsprintf] add esp, 12 mov dword [len], eax push -11 call [GetStdHandle] push 0 push dummy push dword [len] push buf push eax call [WriteConsole] push 0 call [ExitProcess] section '.idata' import readable writable library kernel32, 'KERNEL32.DLL',\ user32, 'USER32.DLL' import kernel32,\ GetStdHandle, 'GetStdHandle', \ WriteConsole, 'WriteConsoleA', \ GetTickCount, 'GetTickCount', \ ExitProcess, 'ExitProcess',\ QueryPerformanceCounter, 'QueryPerformanceCounter',\ QueryPerformanceFrequency, 'QueryPerformanceFrequency' import user32,\ wsprintf, 'wsprintfA' |
|||
|
25 Apr 2025, 19:18 |
|
|
revolution 25 Apr 2025, 22:14
macomics wrote: However the system will try to resume your process as soon as possible so that it finishes the interrupted handler ... |
|||
|
25 Apr 2025, 22:14 |
|
|
Mat-Quasar 26 Apr 2025, 06:13
macomics wrote: The full code is based on your previous testing program via GetTickCount. I got the value "4" printed. Does that mean "LOOP" command take 4 CPU cycles, or what does that mean? ADD: This will show "5": Code: @@:
nop
loop @b |
|||
|
26 Apr 2025, 06:13 |
|
|
macomics 26 Apr 2025, 06:21
revolution wrote: "The system" is the OS. A multi-tasking OS gives no guarantee about timing. You can get any value, 0, 1, 123, 2^31-1, etc. "The system" does what it wants, a user program has no control over it, and no way to force it to behave in any specific way. Mat-Quasar wrote: I got the value "4" printed. Does that mean "LOOP" command take 4 CPU cycles, or what does that mean? In 4 seconds, in addition to running your program, a bunch of other events happen that can push your program. The timer increment event for GetTickCount is triggered at least 4000 times. Keyboard or mouse events also affect this indicator. |
|||
|
26 Apr 2025, 06:21 |
|
|
Furs 26 Apr 2025, 20:53
Mat-Quasar wrote: I don't know how many instructions are there in GetTickCount Win32 API, but certainly not many, since it took less than 1 ms to execute. My CPU is 1.7GHz, so can process 1.7 billion instructions per second! |
|||
|
26 Apr 2025, 20:53 |
|
|
Ali.Z 27 Apr 2025, 09:34
earlier i posted a message and deleted it as i dont remember the link to the source (probably somewhere in msdn)
i mentioned that QPC has some overhead, and it is advised to calculate that overhead and subtract it from your final time. ~ Mat-Quasar wrote:
not really, in addition to what others said, not all instructions take 1 cycle to fetch, decode and execute, some can take more than 100 cycles, and some cannot be paralleled; and some like cpuid will force out of order execution to be disabled when when decoder realize it is cpuid, and cpu must finish everything it is doing in order to execute cpuid and then go back to normal. (not really everything tho, but at least a lot) some instructions have similar effects too like fence instructions, but iirc not like cpuid. _________________ Asm For Wise Humans |
|||
|
27 Apr 2025, 09:34 |
|
|
revolution 27 Apr 2025, 09:50
Ali.Z wrote: earlier i posted a message and deleted it as i dont remember the link to the source (probably somewhere in msdn) But don't accept that first value as the truth, run the calibration in a loop and use the lowest measured value. This can help the code to avoid errant values due to other processes and system activities that cause the random delays. |
|||
|
27 Apr 2025, 09:50 |
|
|
avcaballero 03 May 2025, 10:55
Hello. I haven't been able to read all the recent posts yet, which seem very interesting. Sorry about that. I'll look at them carefully when I can.
The reason for my post today was about an interesting tunneling effect that I managed to translate into C. I've replaced lines with stars. The original code is here: http://codepen.io/nicksheffield/pen/azqQVW . Here an interesting song recently discovered by me. The setting is about a man in a hospital who reviews his life and decides to apologize to his wife. https://youtu.be/pr3wlOkRHBg
_________________ Siempre aprendiendo Last edited by avcaballero on 03 May 2025, 10:58; edited 1 time in total |
|||||||||||
|
03 May 2025, 10:55 |
|
|
avcaballero 03 May 2025, 10:56
Opps, sorry, this should have gone in the "AOXXX" thread.
|
|||
|
03 May 2025, 10:56 |
|
| Goto page Previous 1, 2, 3, 4 < Last Thread | Next Thread > |
Forum Rules:
|