Undocumented Opcodes

From ema
Jump to navigation Jump to search
EMA ID: ema-1269
Description: Use of rare or undocumented opcodes to block non-exhaustive emulators.
Associated Behavior: emulator prevention

Supporting Details:
The Proxy-Bypass sample uses the icebp (0xf1) instruction, an undocumented opcode in x86 CPUs. The icebp instruction was once used together for hardware-level debugging, but on modern CPUs it simply raises an interrupt with the vector of 0x1. An unmodified version of QEMU uses the instruction for purposes of debugging QEMU itself, such as providing a point to attach gdb, but in production use the effect is to cause the entire emulator to hang. These malware samples trap the interrupt thrown by real hardware; code in the exception handler then triggers another obfuscated control-flow transfer.