X86-assembly/Instructions/str
Jump to navigation
Jump to search
| You are here: | str
|
Description
The str instruction retrieves the segment selector from the task register, which points to the task state segment (TSS) of the currently executing task.
Because the value returned by this instruction will differ depending on whether it is run on a host or on a virtual machine, it is sometimes used by malware as a virtualization detection / anti-VM technique.
TSS matching VMware
┌──────────┬──────────┬──────────┬──────────┐
TSS (hex) │ ???? │ ???? │ 0x40 │ 0x00 │
TSS (bin) │ ???????? │ ???????? │ 00000000 │ 01000000 │
└──────────┴──────────┴──────────┴──────────┘
¦ ¦ ¦ ¦ ¦
Byte offset ¦ 0x3 ¦ 0x2 ¦ 0x1 ¦ 0x0 ¦
For VMware, the 1st and second byte of TSS will be respectively 0x00 and 0x40.
Example 1
.text:00401204 str word ptr [ebp+var_418] ; Load TSS into 4-byte local variable var_418
[SNIP]
.text:00401229 mov edx, [ebp+var_418] ; var_418 saved ti EDX
.text:0040122F and edx, 0FFh ; Get 1st byte of EDX
.text:00401235 test edx, edx ; Test whether 1st byte is 0x00
.text:00401237 jnz short loc_40124E ; Test failed (native OS detected). Program continues...
.text:00401239 mov eax, [ebp+var_418+1] ; ...else, 2nd byte saved to EAX
.text:0040123F and eax, 0FFh
.text:00401244 cmp eax, 40h ; Is the 2nd byte equal to 0x40?
.text:00401247 jnz short loc_40124E ; Test failed (native OS detected). Program continues...
.text:00401249 jmp loc_401336 ; ...else: malware self deletion
Example 2
C source//...SNIP...
// Alfredo Andrés Omella's (S21sec) STR technique
void
test4 (void)
{
unsigned char mem[4] = {0, 0, 0, 0};
__asm str mem;
printf ("\n[+] Test 4: STR\n");
printf ("STR base: 0x%02x%02x%02x%02x\n", mem[0], mem[1], mem[2], mem[3]);
if ((mem[0] == 0x00) && (mem[1] == 0x40))
printf ("Result : VMware detected\n\n");
else
printf ("Result : Native OS\n\n");
}
//...SNIP...
|
Assembly.text:00401210 str_test proc near
.text:00401210
.text:00401210 var_4 = word ptr -4
.text:00401210 var_2 = byte ptr -2
.text:00401210 var_1 = byte ptr -1
.text:00401210
.text:00401210 push ebp
.text:00401211 mov ebp, esp
.text:00401213 push ecx
.text:00401214 mov byte ptr [ebp+var_4], 0
.text:00401218 mov byte ptr [ebp+var_4+1], 0
.text:0040121C mov [ebp+var_2], 0
.text:00401220 mov [ebp+var_1], 0
.text:00401224 str [ebp+var_4]
.text:00401228 push offset aTest4Str ; "\n[+] Test 4: STR\n"
.text:0040122D call _printf
.text:00401232 add esp, 4
.text:00401235 movzx eax, [ebp+var_1]
.text:00401239 push eax
.text:0040123A movzx ecx, [ebp+var_2]
.text:0040123E push ecx
.text:0040123F movzx edx, byte ptr [ebp+var_4+1]
.text:00401243 push edx
.text:00401244 movzx eax, byte ptr [ebp+var_4]
.text:00401248 push eax
.text:00401249 push offset aStrBase0x02x02 ; "STR base: 0x%02x%02x%02x%02x\n"
.text:0040124E call _printf
.text:00401253 add esp, 14h
.text:00401256 movzx ecx, byte ptr [ebp+var_4]
.text:0040125A test ecx, ecx
.text:0040125C jnz short loc_401276
.text:0040125E movzx edx, byte ptr [ebp+var_4+1]
.text:00401262 cmp edx, 40h
.text:00401265 jnz short loc_401276
.text:00401267 push offset aResultVmware_2 ; "Result : VMware detected\n\n"
.text:0040126C call _printf
.text:00401271 add esp, 4
.text:00401274 jmp short loc_401283
.text:00401276 ; ---------------------------------------------------------------------------
.text:00401276
.text:00401276 loc_401276:
.text:00401276 push offset aResultNative_2 ; "Result : Native OS\n\n"
.text:0040127B call _printf
.text:00401280 add esp, 4
.text:00401283
.text:00401283 loc_401283:
.text:00401283 mov esp, ebp
.text:00401285 pop ebp
.text:00401286 retn
.text:00401286 str_test endp
|
Comments
Keywords: str anti-vm tss