Skip to content

Commit

Permalink
[REFACT] Moved instrumentation of CPUID into a separate function with…
Browse files Browse the repository at this point in the history 
…in AntiVm
  • Loading branch information
@hasherezade
hasherezade committed Aug 23, 2024
1 parent 35bf51a commit dddd88e
Show file tree
Hide file tree
Showing 3 changed files with 94 additions and 90 deletions.
129 changes: 92 additions & 37 deletions AntiVm.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -225,43 +225,43 @@ namespace AntiVm {
std::map<THREADID, ADDRINT> cpuidThreads;
}; //namespace AntiVm

VOID AntiVm::CpuidCheck(CONTEXT* ctxt, THREADID tid)

namespace AntiVm
{
PinLocker locker;
VOID CpuidCheck(CONTEXT* ctxt, THREADID tid)
{
PinLocker locker;

const ADDRINT Address = (ADDRINT)PIN_GetContextReg(ctxt, REG_INST_PTR);
const ADDRINT Address = (ADDRINT)PIN_GetContextReg(ctxt, REG_INST_PTR);

const WatchedType wType = isWatchedAddress(Address);
if (wType == WatchedType::NOT_WATCHED) return;
const WatchedType wType = isWatchedAddress(Address);
if (wType == WatchedType::NOT_WATCHED) return;

ADDRINT opId = (ADDRINT)PIN_GetContextReg(ctxt, REG_GAX);
cpuidThreads[tid] = opId;
if (opId == 0x0) {
return LogAntiVm(wType, Address, "CPUID - vendor check",
"https://unprotect.it/technique/cpuid/");
}
if (opId == 0x1) {
return LogAntiVm(wType, Address, "CPUID - HyperVisor bit check",
"https://unprotect.it/technique/cpuid/");
}
if (opId == 0x80000002 || opId == 0x80000003 || opId == 0x80000004) {
return LogAntiVm(wType, Address, "CPUID - brand check",
"https://unprotect.it/technique/cpuid/");
}
if (opId == 0x40000000) {
return LogAntiVm(wType, Address, "CPUID - HyperVisor vendor check",
"https://unprotect.it/technique/cpuid/");
}
if (opId == 0x40000002) {
return LogAntiVm(wType, Address, "CPUID - HyperVisor system identity");
}
if (opId == 0x40000003) {
return LogAntiVm(wType, Address, "CPUID - HyperVisor feature identification");
ADDRINT opId = (ADDRINT)PIN_GetContextReg(ctxt, REG_GAX);
cpuidThreads[tid] = opId;
if (opId == 0x0) {
return LogAntiVm(wType, Address, "CPUID - vendor check",
"https://unprotect.it/technique/cpuid/");
}
if (opId == 0x1) {
return LogAntiVm(wType, Address, "CPUID - HyperVisor bit check",
"https://unprotect.it/technique/cpuid/");
}
if (opId == 0x80000002 || opId == 0x80000003 || opId == 0x80000004) {
return LogAntiVm(wType, Address, "CPUID - brand check",
"https://unprotect.it/technique/cpuid/");
}
if (opId == 0x40000000) {
return LogAntiVm(wType, Address, "CPUID - HyperVisor vendor check",
"https://unprotect.it/technique/cpuid/");
}
if (opId == 0x40000002) {
return LogAntiVm(wType, Address, "CPUID - HyperVisor system identity");
}
if (opId == 0x40000003) {
return LogAntiVm(wType, Address, "CPUID - HyperVisor feature identification");
}
}
}

namespace AntiVm
{

BOOL _AlterCpuidValue(CONTEXT* ctxt, THREADID tid, const REG reg, ADDRINT& regVal)
{
Expand Down Expand Up @@ -365,15 +365,70 @@ namespace AntiVm
return isSet;
}

ADDRINT AlterCpuidValue(CONTEXT* ctxt, THREADID tid, const REG reg)
{
PinLocker locker;
ADDRINT regVal = PIN_GetContextReg(ctxt, reg);
_AlterCpuidValue(ctxt, tid, reg, regVal);
return regVal;
}

}; //namespace AntiVm


ADDRINT AntiVm::AlterCpuidValue(CONTEXT* ctxt, THREADID tid, const REG reg)
VOID AntiVm::InstrumentCPUIDCheck(INS ins)
{
PinLocker locker;
ADDRINT regVal = PIN_GetContextReg(ctxt, reg);
_AlterCpuidValue(ctxt, tid, reg, regVal);
return regVal;
INS_InsertCall(
ins,
IPOINT_BEFORE, (AFUNPTR)AntiVm::CpuidCheck,
IARG_CONTEXT,
IARG_THREAD_ID,
IARG_END
);

INS_InsertCall(
ins,
IPOINT_AFTER, (AFUNPTR)AntiVm::AlterCpuidValue,
IARG_CONTEXT,
IARG_THREAD_ID,
IARG_UINT32, REG_GAX,
IARG_RETURN_REGS,
REG_GAX,
IARG_END
);

INS_InsertCall(
ins,
IPOINT_AFTER, (AFUNPTR)AntiVm::AlterCpuidValue,
IARG_CONTEXT,
IARG_THREAD_ID,
IARG_UINT32, REG_GBX,
IARG_RETURN_REGS,
REG_GBX,
IARG_END
);

INS_InsertCall(
ins,
IPOINT_AFTER, (AFUNPTR)AntiVm::AlterCpuidValue,
IARG_CONTEXT,
IARG_THREAD_ID,
IARG_UINT32, REG_GCX,
IARG_RETURN_REGS,
REG_GCX,
IARG_END
);

INS_InsertCall(
ins,
IPOINT_AFTER, (AFUNPTR)AntiVm::AlterCpuidValue,
IARG_CONTEXT,
IARG_THREAD_ID,
IARG_UINT32, REG_GDX,
IARG_RETURN_REGS,
REG_GDX,
IARG_END
);
}

//---
Expand Down
3 changes: 1 addition & 2 deletions AntiVm.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,5 @@ namespace AntiVm {
VOID MonitorAntiVmFunctions(IMG Image);
VOID MonitorSyscallEntry(THREADID tid, const CHAR* name, const CONTEXT* ctxt, SYSCALL_STANDARD std, const ADDRINT Address);
VOID MonitorSyscallExit(THREADID tid, const CHAR* name, const CONTEXT* ctxt, SYSCALL_STANDARD std, const ADDRINT Address);
VOID CpuidCheck(CONTEXT* ctxt, THREADID tid);
ADDRINT AlterCpuidValue(CONTEXT* ctxt, THREADID tid, const REG reg);
VOID InstrumentCPUIDCheck(INS ins);
};
52 changes: 1 addition & 51 deletions TinyTracer.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -865,57 +865,7 @@ VOID InstrumentInstruction(INS ins, VOID *v)
#ifdef USE_ANTIVM
// ANTIVM: Register Function instrumentation needed for AntiVm
if (m_Settings.antivm != WATCH_DISABLED) {
INS_InsertCall(
ins,
IPOINT_BEFORE, (AFUNPTR)AntiVm::CpuidCheck,
IARG_CONTEXT,
IARG_THREAD_ID,
IARG_END
);

INS_InsertCall(
ins,
IPOINT_AFTER, (AFUNPTR)AntiVm::AlterCpuidValue,
IARG_CONTEXT,
IARG_THREAD_ID,
IARG_UINT32, REG_GAX,
IARG_RETURN_REGS,
REG_GAX,
IARG_END
);

INS_InsertCall(
ins,
IPOINT_AFTER, (AFUNPTR)AntiVm::AlterCpuidValue,
IARG_CONTEXT,
IARG_THREAD_ID,
IARG_UINT32, REG_GBX,
IARG_RETURN_REGS,
REG_GBX,
IARG_END
);

INS_InsertCall(
ins,
IPOINT_AFTER, (AFUNPTR)AntiVm::AlterCpuidValue,
IARG_CONTEXT,
IARG_THREAD_ID,
IARG_UINT32, REG_GCX,
IARG_RETURN_REGS,
REG_GCX,
IARG_END
);

INS_InsertCall(
ins,
IPOINT_AFTER, (AFUNPTR)AntiVm::AlterCpuidValue,
IARG_CONTEXT,
IARG_THREAD_ID,
IARG_UINT32, REG_GDX,
IARG_RETURN_REGS,
REG_GDX,
IARG_END
);
AntiVm::InstrumentCPUIDCheck(ins);
}
#endif
}
Expand Down

0 comments on commit dddd88e

Please sign in to comment.