HyperDbg Debugger
Loading...
Searching...
No Matches
Functions
transparency.cpp File Reference

Measurements for debugger transparency. More...

#include "pch.h"

Functions

unsigned long long TransparentModeRdtscDiffVmexit ()
 get the difference clock cycles between two rdtsc(s)
 
unsigned long long TransparentModeRdtscVmexitTracing ()
 get the difference clock cycles between rdtsc+cpuid+rdtsc
 
int TransparentModeCpuidTimeStampCounter (UINT64 *Average, UINT64 *StandardDeviation, UINT64 *Median)
 compute the average, standard deviation and median if rdtsc+cpuid+rdtsc
 
int TransparentModeRdtscEmulationDetection (UINT64 *Average, UINT64 *StandardDeviation, UINT64 *Median)
 compute the average, standard deviation and median if rdtsc+rdtsc
 
BOOLEAN TransparentModeCheckHypervisorPresence (UINT64 *Average, UINT64 *StandardDeviation, UINT64 *Median)
 compute the average, standard deviation and median if rdtsc+cpuid+rdtsc
 
BOOLEAN TransparentModeCheckRdtscpVmexit (UINT64 *Average, UINT64 *StandardDeviation, UINT64 *Median)
 compute the average, standard deviation and median if rdtsc+rdtsc
 

Detailed Description

Measurements for debugger transparency.

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.1
Date
2020-07-07
Copyright
This project is released under the GNU Public License v3.

Function Documentation

◆ TransparentModeCheckHypervisorPresence()

BOOLEAN TransparentModeCheckHypervisorPresence ( UINT64 * Average,
UINT64 * StandardDeviation,
UINT64 * Median )

compute the average, standard deviation and median if rdtsc+cpuid+rdtsc

detects the presence of hypervisor

Parameters
Averagea pointer to save average on it
StandardDeviationa pointer to standard deviation average on it
Mediana pointer to save median on it
Returns
int
197{
198 //
199 // Check whether the hypervisor is detected or not
200 //
201 if (TransparentModeCpuidTimeStampCounter(Average, StandardDeviation, Median))
202 {
203 ShowMessages("hypervisor detected\n");
204 return TRUE;
205 }
206 else
207 {
208 ShowMessages("hypervisor not detected\n");
209 return FALSE;
210 }
211}
TRUE
#define TRUE
Definition BasicTypes.h:55
FALSE
#define FALSE
Definition BasicTypes.h:54
Median
double Median(vector< double > Cases)
get the median of a vector
Definition gaussian-rng.cpp:22
Average
T Average(const vector< T > &vec)
get the average of a vector
Definition gaussian-rng.cpp:53
ShowMessages
VOID ShowMessages(const char *Fmt,...)
Show messages.
Definition libhyperdbg.cpp:96
TransparentModeCpuidTimeStampCounter
int TransparentModeCpuidTimeStampCounter(UINT64 *Average, UINT64 *StandardDeviation, UINT64 *Median)
compute the average, standard deviation and median if rdtsc+cpuid+rdtsc
Definition transparency.cpp:109

◆ TransparentModeCheckRdtscpVmexit()

BOOLEAN TransparentModeCheckRdtscpVmexit ( UINT64 * Average,
UINT64 * StandardDeviation,
UINT64 * Median )

compute the average, standard deviation and median if rdtsc+rdtsc

detects the presence of rdtsc/p vm-exits

Parameters
Averagea pointer to save average on it
StandardDeviationa pointer to standard deviation average on it
Mediana pointer to save median on it
Returns
int
227{
228 //
229 // Check whether the system emulating rdtsc/p or not
230 //
231 if (TransparentModeRdtscEmulationDetection(Average, StandardDeviation, Median))
232 {
233 ShowMessages("rdtsc/p emulation detected\n");
234 return TRUE;
235 }
236 else
237 {
238 ShowMessages("rdtsc/p emulation not detected\n");
239 return FALSE;
240 }
241}
TransparentModeRdtscEmulationDetection
int TransparentModeRdtscEmulationDetection(UINT64 *Average, UINT64 *StandardDeviation, UINT64 *Median)
compute the average, standard deviation and median if rdtsc+rdtsc
Definition transparency.cpp:151

◆ TransparentModeCpuidTimeStampCounter()

int TransparentModeCpuidTimeStampCounter ( UINT64 * Average,
UINT64 * StandardDeviation,
UINT64 * Median )

compute the average, standard deviation and median if rdtsc+cpuid+rdtsc

Parameters
Averagea pointer to save average on it
StandardDeviationa pointer to standard deviation average on it
Mediana pointer to save median on it
Returns
int
112{
113 double Avg = 0;
114 double MeasuredTime = 0;
115 vector<double> Results;
116
117 for (int i = 0; i < TestCount; i++)
118 {
119 MeasuredTime = (double)TransparentModeRdtscDiffVmexit();
120 Avg = Avg + MeasuredTime;
121
122 Results.push_back(MeasuredTime);
123
124 /*
125 ShowMessages("(%d) Measured time : %d\n", i, MeasuredTime);
126 */
127 }
128
129 if (Average != NULL && StandardDeviation != NULL && Median != NULL)
130 {
131 //
132 // Compute the average and variance
133 //
134 GuassianGenerateRandom(Results, Average, StandardDeviation, Median);
135 }
136
137 Avg = Avg / TestCount;
138 return (Avg < 1000 && Avg > 0) ? FALSE : TRUE;
139}
GuassianGenerateRandom
VOID GuassianGenerateRandom(vector< double > Data, UINT64 *AverageOfData, UINT64 *StandardDeviationOfData, UINT64 *MedianOfData)
Calculate and generate random gaussian number.
Definition gaussian-rng.cpp:158
TestCount
#define TestCount
Number of tests for each instruction sets.
Definition transparency.h:23
TransparentModeRdtscDiffVmexit
unsigned long long TransparentModeRdtscDiffVmexit()
get the difference clock cycles between two rdtsc(s)
Definition transparency.cpp:22

◆ TransparentModeRdtscDiffVmexit()

unsigned long long TransparentModeRdtscDiffVmexit ( )

get the difference clock cycles between two rdtsc(s)

Returns
unsigned long long
23{
24 unsigned long long ret, ret2;
25 int cpuid_result[4] = {0};
26
27 //
28 // GCC
29 //
30 // __asm__ volatile("rdtsc" : "=a" (eax), "=d" (edx));
31 // ret = ((unsigned long long)eax) | (((unsigned long long)edx) << 32);
32
33 //
34 // Win32
35 //
36 ret = __rdtsc();
37
38 /* vm exit forced here. it uses: eax = 0; cpuid; */
39
40 //
41 // GCC
42 //
43 //__asm__ volatile("cpuid" : /* no output */ : "a"(0x00));
44
45 //
46 // WIN32
47 //
48 __cpuid(cpuid_result, 0);
49
50 //
51 // GCC
52 //
53 // __asm__ volatile("rdtsc" : "=a" (eax), "=d" (edx));
54 // ret2 = ((unsigned long long)eax) | (((unsigned long long)edx) << 32);
55
56 //
57 // WIN32
58 //
59 ret2 = __rdtsc();
60
61 return ret2 - ret;
62}

◆ TransparentModeRdtscEmulationDetection()

int TransparentModeRdtscEmulationDetection ( UINT64 * Average,
UINT64 * StandardDeviation,
UINT64 * Median )

compute the average, standard deviation and median if rdtsc+rdtsc

Parameters
Averagea pointer to save average on it
StandardDeviationa pointer to standard deviation average on it
Mediana pointer to save median on it
Returns
int
154{
155 double Avg = 0;
156 double MeasuredTime = 0;
157 vector<double> Results;
158
159 for (int i = 0; i < TestCount; i++)
160 {
161 MeasuredTime = (double)TransparentModeRdtscVmexitTracing();
162 Avg = Avg + MeasuredTime;
163
164 Results.push_back(MeasuredTime);
165
166 /*
167 ShowMessages("(%d) Measured time : %d\n", i, MeasuredTime);
168 */
169 }
170
171 if (Average != NULL && StandardDeviation != NULL && Median != NULL)
172 {
173 //
174 // Compute the average and variance
175 //
176 GuassianGenerateRandom(Results, Average, StandardDeviation, Median);
177 }
178
179 Avg = Avg / TestCount;
180 return (Avg < 750 && Avg > 0) ? FALSE : TRUE;
181}
TransparentModeRdtscVmexitTracing
unsigned long long TransparentModeRdtscVmexitTracing()
get the difference clock cycles between rdtsc+cpuid+rdtsc
Definition transparency.cpp:70

◆ TransparentModeRdtscVmexitTracing()

unsigned long long TransparentModeRdtscVmexitTracing ( )

get the difference clock cycles between rdtsc+cpuid+rdtsc

Returns
unsigned long long
71{
72 unsigned long long ret, ret2;
73
74 //
75 // GCC
76 //
77 // __asm__ volatile("rdtsc" : "=a" (eax), "=d" (edx));
78 // ret = ((unsigned long long)eax) | (((unsigned long long)edx) << 32);
79
80 //
81 // WIN32
82 //
83 ret = __rdtsc();
84
85 //
86 // GCC
87 //
88 // __asm__ volatile("rdtsc" : "=a"(eax), "=d"(edx));
89 // ret2 = ((unsigned long long)eax) | (((unsigned long long)edx) << 32);
90
91 //
92 // WIN32
93 //
94 ret2 = __rdtsc();
95
96 return ret2 - ret;
97}