Flag: Tornado! Hurricane!


Technique Name Category Analysis By Download Added On Last Updated
Obfuscated RDTSC Debugging pedram obfuscated_rdtsc.zip March 11 2006
Description:
Borrowing from "shellcode" fundamentals, this technique abuses an RDTSC instruction found within the Windows DLL NTDLL.DLL function ReleaseBufferLocation(). By utilizing a pre-existing RDTSC instruction we can avoid detection from simple binary scans for the RDTSC (\x0F\x31) byte sequence. Here is the discovered RDTSC instruction from Windows XP SP2:


WINXPSP2.NTDLL.ReleaseBufferLocation():
    .text:7C973215     mov ecx, [eax+4]                 // we *could* jump as high as this point
    .text:7C973218     add ecx, eax
    .text:7C97321A     mov dword ptr [ecx], 0C0100001h
--->.text:7C973220     rdtsc                            // ecx should point to the caller stack
    .text:7C973222     mov [ecx+8], eax                 // save the low dword
    .text:7C973225     mov [ecx+0Ch], edx               // save the high dword
    .text:7C973228
    .text:7C973228 loc_7C973228:
    .text:7C973228     add esi, 0Ch
    .text:7C97322B     or  eax, 0FFFFFFFFh
    .text:7C97322E     lock xadd [esi], eax             // esi must point to writeable memory
    .text:7C973232     mov eax, offset _WmipLoggerCount
    .text:7C973237     or  ecx, 0FFFFFFFFh
    .text:7C97323A     lock xadd [eax], ecx
    .text:7C97323E     pop esi                          // esi gets blows away, save/restore if needed
    .text:7C97323F     pop ebp                          // ebp gets blown away, save/restore in caller
    .text:7C973240     retn 4                           // need to pad two DWORDS for RET address


In my brief search through the system DLLs for a suitable RDTSC instruction followed by a retn, the above (legitimate, ie: a real instruction and not just a byte match) example was the only one I found. There may be others, it's been a while since I've looked at this, so I forget where I even scanned.

To abuse the above sequence, we craft and call the following function:


int obfuscated_rdtsc (void)
{
    int stack_space[32];
    
    __asm
    {
            jmp __end
        __begin:
            pop ebx
            mov ecx, esp
            add ecx, 4
            mov esi, esp
            add esi, 0x10
            push ebp
            push 1
            push ebx
            push 2
            push 3
            mov eax, 0x7c973220
            jmp eax
        __end:
            call __begin
            pop ebp
    }

return stack_space[0];
}


A compiled example and source code is available in the obfuscated_rdtsc.zip archive. Note that the sample threshold values I use were just for experimentation and will need to modified to something sane (that won't false positive).

There are 31,056 total registered users.


Recently Created Topics
Ultimate Hacking Cha...
Jun/21
CreateMutex
May/31
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Immunity Debugger Re...
Aug/03


Recent Forum Posts
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack


Recent Blog Entries
crystalwade
Jul/20
test

nieo
Mar/22
Android Application Reversing

halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit