al-khaser icon indicating copy to clipboard operation
al-khaser copied to clipboard

Published 20 hours ago verified publisher icon LordNoteworthy

KUSER_SHARED_DATA time checks

Open ghost opened this issue 6 years ago • 4 comments
trafficstars

Add please this check.

ghost avatar Apr 09 '19 18:04 ghost

Hello,

This trick is already implemented here: https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/SharedUserData_KernelDebugger.cpp

If you mean something else, feel free to open the issue again.

ayoubfaouzi avatar Apr 28 '19 00:04 ayoubfaouzi

ah seems the time checks, I taught the debugger check, sorry.

ayoubfaouzi avatar Apr 28 '19 00:04 ayoubfaouzi

@LordNoteworthy yes

dererror33 avatar Apr 28 '19 00:04 dererror33

@lurumdare It is the the same as GetTickCount and already used in this project as generic detect if time was accelerated. The other usage can be like in Upatre trojan -> https://unit42.paloaltonetworks.com/ticked-off-upatre-malwares-simple-anti-analysis-trick-to-defeat-sandboxes/. Pure usage, for example how many ticks between two instructions, is false-positive generator.

Please elaborate yourself.

hfiref0x avatar May 01 '19 05:05 hfiref0x