Bug for Trap Flag simulation #69
Description
When I added debugger and VM protection with vmprotect
and set EMULATE_SINGLE_STEP=True
ANTIDEBUG=1
ANTIVM=0
EMULATE_HYPERV=False
EMULATE_SINGLE_STEP=True
I found that a VM was detected.
It was strange because I was not running in a VM. To figure out why this happened, I looked at the leak source code of vmprotect and found a detection as shown below. https://github.com/jmpoep/vmprotect-3.5.1/blob/master/runtime/loader.cc#L2514
This is a common VM detection. https://howtohypervise.blogspot.com/2019/01/a-common-missight-in-most-hypervisors.html
I wrote code to verify whether tiny_tracer passed this test.
uint8_t mem_val;
__try
{
// set T flag
__writeeflags(__readeflags() | 0x100);
__nop();
__nop();
printf("Debugger Found\n");
}
__except (mem_val = *static_cast<uint16_t*>((GetExceptionInformation())->ExceptionRecord->ExceptionAddress), EXCEPTION_EXECUTE_HANDLER)
{
if (mem_val != 0x90)
{
printf("Virtual Machine Found\n");
printf("mem_val:0x%x\n", mem_val);
}
}
printf("Check done\n");
Unfortunately tiny_tracer had an error when simulating the Trap Flag.
