对抗启发式代码仿真检测技术分析(2)_MySQL
bitsCN.com
,例如这样打开一个文件的操作,虽然我没有测试过这种方式。
mov ax, 3D02h ;0x3D02 是密钥
add ax, key
int 21h 1 通过指令预取反跟踪技术:
早期的处理器,像386或者486都使用了指令队列预期(PIQ)技术来提高代码执行效率。这一技术的本质是,当CPU将要执行一条指令时,它已经将该指令预先读到了CPU的cache中了。所以在此之前的修改对CPU来说已经没有影响了。让我看一个这样的例子:
mov word ptr cs:[offset piq], 20CDh
piq:
nop
nop 你应该会想到这个程序将结束运行,因为两个字节的nop 指令会被覆盖为 int 20h(译者注:int 20h 是返回DOS的指令)。但在386或486的机器上去并非如此,因为nop指令已经在cpu的cache中了。但在Pentium/Pentium II 体系的机器中运行时,指令则会被覆盖,程序执行后退出。
如果你想利用这一特性来对抗启发式检测技术的话,你就必须知道在386/486年代这是一种广泛的对抗启发式检测的手段。但是随着AVs的改进,他们已经加入了对指令预期技术的支持。这是不是件很不可思议的事情,他们仿真的东西竟是不存于现在的处理器当中的。让我们再看看上面的例子,这是我们用来对付他们的,在 pentium 或者更高级别的处理上面,像我所说的那样,程序会终止,因为这些处理器没有使用PIQ技术。但大部分的AVs会继续让代码执行那两个nops,因为他们要仿真PIQ。所有这块我们这样做:
mov word ptr [offset prefetch], 06C7h
prefetch:
int 20h
dw offset decrypt_key
dw key int 20h 指令将被覆盖,替换它的将是下面的指令
mov word ptr [decrypt_key], key 基于对PIQ的考虑,AVs将终止程序的执行。但实际上我们的程序将继续运行,在我们的加密处理函数中设置密钥。我们仅存在一个问题,那就是我们的代码要运行在Pentiums或更高级别的处理器上面。为了使之兼容486系列或更低一些处理器,我们只需清除掉PIQ之间的两条指令。
没有什么比这更简单的了!当然,你也要知道清除所有jump类指令(jmp, call, loop, int...)之间的PIQ(这一点是必需的,如果你想这样做的话)。但是我们不能简单的处理JMP Short $+2之间的指令,对于清除PIQ来说它应该是正常被执行的,因为代码仿真器是会察觉到这一点的。
但是我们可以使用一个特殊的功能,CPU的陷阱标志。如果这个标志被置位,那么其后的任何指令执行都将触发int 1 的中断调用,记住这样会清除PIQ。这通常是在的调试状态下,1号中断向量只是简单的 IRET,所以我们可以使用没有任何问题。无论如何,执行后再次清除陷阱标志都是个很好的主意。下面展示的代码可以运行在任何处理器上(assumes DS = CS)。
pushf ;flags on the stack
pop ax ;flags from stack into AX
or ax, 100000000b ;set trap flag
push ax ;put the modified flags in AX back...
popf ;into the flag register via the stack
mov word ptr [offset prefetch], 06C7h ;modify the following instruction
prefetch: ;here gets int1 called => clears PIQ
int 20h ;This is never executed
dw offset decrypt_key ;where we want to write our key to
dw key ;the actual decryption key
pushf ;clear the trap flag again with
pop ax ;the same method as above.
xor ax, 100000000b ;will also fool some debuggers
push ax
popf
mov word ptr [offset prefetch], 20CDh ;restore the int20h (next generations)bitsCN.com
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1378
52
AMD Ryzen 9900X, 9700X, 9600X processor Cinebench R23 running scores exposed, with an average increase of 10~15%
Jul 29, 2024 am 11:38 AM
According to news from this website on July 29, AMD Ryzen 9000 series processors are now available for reservation on JD.com. The first batch of four models will be launched and will be released on August 15. The evaluation data of these processors will be lifted on August 14, the day before they go on sale. However, some media or institutions have obtained samples in advance and started testing, so the running score data of R99900X, R79700X, and R59600X processors have been leaked. ▲Picture source: @9550pro Overall, the move from Zen4 to Zen5 is expected to bring about a 10% to 15% improvement in single-core performance and a 10% to 13% improvement in multi-core performance, but the TDP is somewhat lower than that of the Ryzen 7000 series. Reduced, which is also in line with AMD’s official IPC improvement data. Ryzen
144-core, 3D-stacked SRAM: Fujitsu details next-generation data center processor MONAKA
Jul 29, 2024 am 11:40 AM
According to news from this website on July 28, foreign media TechRader reported that Fujitsu introduced in detail the FUJITSU-MONAKA (hereinafter referred to as MONAKA) processor planned to be shipped in 2027. MONAKACPU is based on the "cloud native 3D many-core" architecture and adopts the Arm instruction set. It is oriented to the data center, edge and telecommunications fields. It is suitable for AI computing and can realize mainframe-level RAS1. Fujitsu said that MONAKA will achieve a leap in energy efficiency and performance: thanks to technologies such as ultra-low voltage (ULV) technology, the CPU can achieve 2 times the energy efficiency of competing products in 2027, and cooling does not require water cooling; in addition, the application performance of the processor It can also reach twice as much as your opponent. In terms of instructions, MONAKA is equipped with vector
AMD Ryzen 9 9950X overclocked to 6.6 GHz, CineBench R23 achieved a maximum score of 55296 points
Jul 17, 2024 pm 09:49 PM
According to news from this website on July 16, the AMDXOC team demonstrated the overclocking Ryzen 99950X processor to the invited media and guests at the Zen5 Technology Day. The processor was overclocked using liquid nitrogen (LN2) and scored more than 5.5 in CineBenchR23. million, and the power consumption is as high as 552W. The overclocking platform used by the XOC team is the ASUS X670EROG CorsshairGene motherboard, which is a motherboard specially designed for overclocking players and equipped with 2 DDR5DIMMs. After using liquid nitrogen, the operating temperature of the Ryzen 99950X processor dropped to minus 90 degrees Celsius, the power consumption was 552W, the CPU was overclocked at 6.4GHz, and the score in CineBenchR23 exceeded 55296
Multi-core exceeds 100,000, AMD EPYC 9755 processor CPU-Z running score exposed: 14% faster than EPYC 9654
Jul 25, 2024 am 10:46 AM
According to news from this website on July 25, the source HXL (@9550pro) tweeted yesterday (July 24), sharing information about the Zen5-based AMDEPYC9755 "Turin" CPU, which achieved excellent results in the CPU-Z benchmark test. score. AMDEPYC9755 "Turin" CPU information EPYC9755 is AMD's fifth-generation EPYC family product, equipped with 128 cores and 256 threads on Zen5 architecture. The base clock frequency of the EPYC9755 processor is 2.70GHz, and the acceleration clock frequency can reach 4.10GHz. Compared with the previous generation, the number of cores/threads has increased by 33%, and the clock frequency has increased by 11%. EPYC9755
AMD announces 'Sinkclose' high-severity vulnerability, affecting millions of Ryzen and EPYC processors
Aug 10, 2024 pm 10:31 PM
According to news from this site on August 10, AMD officially confirmed that some EPYC and Ryzen processors have a new vulnerability called "Sinkclose" with the code "CVE-2023-31315", which may involve millions of AMD users around the world. So, what is Sinkclose? According to a report by WIRED, the vulnerability allows intruders to run malicious code in "System Management Mode (SMM)." Allegedly, intruders can use a type of malware called a bootkit to take control of the other party's system, and this malware cannot be detected by anti-virus software. Note from this site: System Management Mode (SMM) is a special CPU working mode designed to achieve advanced power management and operating system independent functions.
AMD Ryzen 7 9700X processor appears on Geekbench: single-core running score is 14% higher than R7 7700X
Jul 12, 2024 pm 01:59 PM
According to news from this website on July 9, an ASUS test machine equipped with AMD Ryzen 79700X processor appeared in the Geekbench database, equipped with ROG CROSSHAIRX670EHERO motherboard and 32GBDDR56000 memory. AMD Ryzen 79700X has 8 cores and 16 threads, 3.8GHz base frequency, 5.5GHz acceleration frequency, 40MB cache (note on this site: 32MBL3+8MBL2) and 65W TDP design, but there is also news that AMD has increased its TDP to 120W. As shown in the figure, the test platform ran single and multi-core scores of 3312 points and 16431 points on Geekbench6.3.0, which is better than R77700.
2*A78+6*A55, MediaTek releases mid-to-high-end Chromebook processor Kompanio 838
Jun 04, 2024 pm 03:34 PM
According to news from this site on May 31, MediaTek launched the Kompanio 838 processor today. MediaTek said that this 6nm process SoC is aimed at the mid-to-high-end Chromebook market. Compared with the Kompanio500 series products, the graphics performance is improved by up to 76%, the CPU benchmark test is improved by up to 66%, and the Web benchmark test is improved by up to 60%. This site organizes the parameters of the Kompanio838 processor as follows: CPU: 8-core design, 2*ArmCortex-A78@2.6GHz+6*ArmCortex-A55@2.0GHz; GPU: ArmMali-G57MC3; AI processor: NPU650, computing power 4TOPS
Intel Core Ultra 9 285K processor exposed: single-core running score is 4% faster than Ryzen 9 9950X and multi-core is 14% faster
Aug 21, 2024 pm 04:46 PM
According to news from this website on August 21, technology media WccFtech reported today that the Intel Core Ultra9285K "ArrowLake" processor appeared in the GeekBench6 benchmark library, surpassing the Core i9-14900KS and Ryzen99950X processors. Test platform The test platform exposed this time is ASUS ROGSTRIXZ890-AGamingWIFI motherboard and 64GBDDR5-6400 memory. Introduction to the Intel Core Ultra9285K "ArrowLake-S" desktop processor. The PL1 power consumption of the Intel Core Ultra9285K processor is 125W and it uses a 7nm process (CPU-Z information, it should actually use UK
