Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KUSER_SHARED_DATA time checks #168

Open
ghost opened this issue Apr 9, 2019 · 4 comments
Open

KUSER_SHARED_DATA time checks #168

ghost opened this issue Apr 9, 2019 · 4 comments
Labels
enhancement

Comments

@ghost
Copy link

ghost commented Apr 9, 2019

Add please this check.
@LordNoteworthy
Copy link
Owner

Hello,

This trick is already implemented here: https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/SharedUserData_KernelDebugger.cpp

If you mean something else, feel free to open the issue again.

@LordNoteworthy
Copy link
Owner

ah seems the time checks, I taught the debugger check, sorry.

@ghost
Copy link
Author

ghost commented Apr 28, 2019

@LordNoteworthy yes

@hfiref0x
Copy link
Contributor

hfiref0x commented May 1, 2019

@lurumdare
It is the the same as GetTickCount and already used in this project as generic detect if time was accelerated. The other usage can be like in Upatre trojan -> https://unit42.paloaltonetworks.com/ticked-off-upatre-malwares-simple-anti-analysis-trick-to-defeat-sandboxes/. Pure usage, for example how many ticks between two instructions, is false-positive generator.

Please elaborate yourself.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@LordNoteworthy @gsuberland @hfiref0x