rdtsc compensation for cpuid call
rdtsc compensation for cpuid call
CPUID inside VirtualBox takes around 6000-8000 cycles while on hardware it takes 100-200. Is there any way, a settings perhaps that can just compensate value returned by RDTSC to make it seem like cpuid took less cycles than it actually did?
-
michaln
- Oracle Corporation
- Posts: 2973
- Joined: 19. Dec 2007, 15:45
- Primary OS: MS Windows 7
- VBox Version: PUEL
- Guest OSses: Any and all
- Contact:
Re: rdtsc compensation for cpuid call
What problem would that solve?
Re: rdtsc compensation for cpuid call
It would help pass VMProtect check for execution inside VM.
-
socratis
- Site Moderator
- Posts: 27329
- Joined: 22. Oct 2010, 11:03
- Primary OS: Mac OS X other
- VBox Version: PUEL
- Guest OSses: Win(*>98), Linux*, OSX>10.5
- Location: Greece
Re: rdtsc compensation for cpuid call
Are you seriously asking for a method to bypass legitimate software protection mechanisms?
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
Re: rdtsc compensation for cpuid call
Well, yes. What if a malware use this trick? Or what if a malware is protected by VMProtect?
-
socratis
- Site Moderator
- Posts: 27329
- Joined: 22. Oct 2010, 11:03
- Primary OS: Mac OS X other
- VBox Version: PUEL
- Guest OSses: Win(*>98), Linux*, OSX>10.5
- Location: Greece
Re: rdtsc compensation for cpuid call
There are a lot of techniques to identify if a program runs in a virtual machine or not. Even if you get that fixed (which I don't think you can), you're going to be facing more detection techniques.
A malware protected by a legitimate protection software? That would be a first...
A malware protected by a legitimate protection software? That would be a first...
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
-
michaln
- Oracle Corporation
- Posts: 2973
- Joined: 19. Dec 2007, 15:45
- Primary OS: MS Windows 7
- VBox Version: PUEL
- Guest OSses: Any and all
- Contact:
Re: rdtsc compensation for cpuid call
If you're asking for software that doesn't refuse to run in a VM, you need to ask the vendor of that software, not Oracle.igor_ver wrote:It would help pass VMProtect check for execution inside VM.
Re: rdtsc compensation for cpuid call
Found this: github . com / vektort13 / antiRTSC
The commands executed:
The commands executed:
Hope this helps someoneVBoxManage setextradata "mage.dev" VBoxInternal/TM/TSCMode RealTSCOffset
VBoxManage setextradata "mage.dev" VBoxInternal/CPUM/SSE4.1 1
VBoxManage setextradata "mage.dev" VBoxInternal/CPUM/SSE4.2 1