GET /api/techniques/148/
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "name": "RDTSCP",
    "category": [
        "https://search.unprotect.it/api/categories/1/"
    ],
    "description": "Newer processors support a new instruction called RDTSCP which does the exact same thing as RDTSC, except that it does so serializing (meaning it waits for all instructions to execute before reading the counter. and that the possible reordering of the execution of the instructions is won that does not happen). \r\n\r\nThis instruction can be used to calculate the delta of the timestamp counter in the same way as RDTSC and thus detect whether the program is being debugged, emulated or executed in a virtual environment.",
    "resources": "https://www.hexacorn.com/blog/2014/06/15/rdtscp-a-recooked-antire-trick/",
    "tags": "RDTSCP",
    "snippets": [
        {
            "language": "https://search.unprotect.it/api/snippet_languages/6/",
            "author": "https://search.unprotect.it/api/snippet_authors/4/",
            "technique": "https://search.unprotect.it/api/techniques/148/",
            "description": "",
            "plain_code": ".586\r\n.MODEL FLAT,STDCALL\r\n include    windows.inc\r\n include    kernel32.inc\r\n includelib kernel32.lib\r\n include    user32.inc\r\n includelib user32.lib\r\n include    masm32.inc\r\n includelib masm32.lib\r\n.data\r\n  pat                  db 'rdtscp delta=%d, rdtsc delta=%d',13,10,0\r\n  rdtscp_not_supported db 'rdtscp not supported'\r\n.data?\r\n  buf db 64 dup (?)\r\n.code\r\nrdtscp macro\r\n  db 0Fh, 01h, 0F9h\r\nendm\r\nassume fs:nothing\r\nRDTSCP  proc\r\n  LOCAL _retval:DWORD\r\n   mov  _retval,0\r\n   pushad\r\n   push OFFSET e\r\n   push dword ptr fs:[0]\r\n   mov  dword ptr fs:[0], esp\r\n   rdtscp\r\n   mov ebx,eax\r\n   rdtscp\r\n   sub  eax,ebx\r\n   mov  _retval,eax\r\n   jmp  no_e\r\n e:\r\n   mov  esp, [esp + 8]\r\n   pop  dword ptr fs:[0]\r\n   add  esp, 4\r\n   popad\r\n   mov  _retval,-1\r\n   jmp  _ret\r\n no_e:\r\n   pop  dword ptr fs:[0]\r\n   add  esp, 4\r\n   popad\r\n_ret:\r\n   mov eax,_retval\r\n   ret\r\nRDTSCP  endp\r\n  Start:\r\n   rdtsc\r\n   mov ebx,eax\r\n   rdtsc\r\n   sub  eax,ebx\r\n   mov  ebp,eax\r\n   call RDTSCP\r\n   .if eax==-1\r\n       invoke  StdOut,OFFSET rdtscp_not_supported\r\n   .else\r\n       invoke  wsprintfA,OFFSET buf,OFFSET pat,eax,ebp\r\n       invoke  StdOut,OFFSET buf\r\n   .endif\r\n   invoke ExitProcess,0\r\nEND Start"
        }
    ],
    "detection_rules": []
}