Timing/Delay Checks

From ema
Jump to navigation Jump to search
EMA ID: ema-1266
Description: Comparing time between two points to detect "unusual" execution, such as the (relative) massive delays introduced by debugging.
Associated Behavior: debugger detect & evade

Supporting Details:
It will execute RDTSC twice and then calculate the difference between low order values and check it with CMP condition. If the difference lays below 0FFFh no debugger is found if it is above or equal then application is debugged.
GetTickCount is typical timing function which is used to measure time needed to execute some function/instruction set. If the difference is more than fixed threshold, the process exits.