Ether Guest Time Call Issues
50 views
Skip to first unread message
Nick Brewer
Jul 11, 2012, 6:04:13 PM7/11/12
to ether...@googlegroups.com
Hello, I've been studying Themida protected programs with my research group and am hoping to clear up some issues surrounding how Ether handles guest time calls.
We've been using Ether to trace programs protected by our copy of Themida (version 2.0.9.0) and viruses protected by an unknown version of Themida. We have verified that version 2.0.9.0 uses calls to Windows API timeGetTime() to detect tracing and we suspect that this unknown version uses the RDTSC instruction. This concerns us because according to the paper published about Ether, "Ether controls the in-guest view of the RDTSC instruction, the APIC timer, the 8254 timer chip, as well as any periodic time-based interrupts and other guest time queries." However both versions of Themida have detected that we are tracing it.
To really test whether Ether was actually attempting to account for it's slowing of program execution we wrote a simple C program shown below:
#include "stdafx.h"
#include <windows.h>
#include <iostream>
using namespace std;
int main()
{
DWORD x1;
DWORD y1;
DWORD x2;
DWORD y2;
__asm {
rdtsc
mov x1,eax
mov y1,edx
}
cout << "EDX1: " << y1 << endl;
cout << "EAX1: " << x1 << endl;
int a = 500;
int b = 400;
cout << a * b << endl;
__asm {
rdtsc
mov x2,eax
mov y2,edx
}
cout << "EDX2: " << y2 << endl;
cout << "EAX2: " << x2 << endl;
cout << "EDX diff: " << y2 - y1 << endl;
cout << "EAX diff: " << x2 - x1 << endl;
We've been using Ether to trace programs protected by our copy of Themida (version 2.0.9.0) and viruses protected by an unknown version of Themida. We have verified that version 2.0.9.0 uses calls to Windows API timeGetTime() to detect tracing and we suspect that this unknown version uses the RDTSC instruction. This concerns us because according to the paper published about Ether, "Ether controls the in-guest view of the RDTSC instruction, the APIC timer, the 8254 timer chip, as well as any periodic time-based interrupts and other guest time queries." However both versions of Themida have detected that we are tracing it.
To really test whether Ether was actually attempting to account for it's slowing of program execution we wrote a simple C program shown below:
#include "stdafx.h"
#include <windows.h>
#include <iostream>
using namespace std;
int main()
{
DWORD x1;
DWORD y1;
DWORD x2;
DWORD y2;
__asm {
rdtsc
mov x1,eax
mov y1,edx
}
cout << "EDX1: " << y1 << endl;
cout << "EAX1: " << x1 << endl;
int a = 500;
int b = 400;
cout << a * b << endl;
__asm {
rdtsc
mov x2,eax
mov y2,edx
}
cout << "EDX2: " << y2 << endl;
cout << "EAX2: " << x2 << endl;
cout << "EDX diff: " << y2 - y1 << endl;
cout << "EAX diff: " << x2 - x1 << endl;
Nick Brewer
Jul 12, 2012, 2:10:17 PM7/12/12
to ether...@googlegroups.com
Sorry, posted early by accident.
To continue, we ran this program on our Windows XP VM, the output without tracing gave us a diff of 1 clock tick between calls to RDTSC, while the diff with tracing was over 1200.
Can anyone explain this discrepancy, is there perhaps some option when executing ether that we have overlooked?
Thanks,
Nicholas
To continue, we ran this program on our Windows XP VM, the output without tracing gave us a diff of 1 clock tick between calls to RDTSC, while the diff with tracing was over 1200.
Can anyone explain this discrepancy, is there perhaps some option when executing ether that we have overlooked?
Thanks,
Nicholas
Nick Brewer
Jul 12, 2012, 5:40:09 PM7/12/12
to ether...@googlegroups.com
Oh and one last change. It turns out that the version of Themida we've been tinkering with is 2.0.9.10, not 2.0.9.0.
Artem D
Jul 12, 2012, 9:32:17 PM7/12/12
to ether...@googlegroups.com
As i recall in the xen source code, all time should be generated from rdtsc on host and i thought i had made it monotonically increment. Can anyone on this list perhaps shed more light? I am currently traveling and do not have time to look.
Reply all
Reply to author
Forward
0 new messages