IDC Script: Coloring Unusual Instructions: Anti-Analysis

#include static main() {
auto start, end, addr, mnem, count, opnd, opnd1, opnd2; 

start = SegStart( ScreenEA() ); 
nd = SegEnd( ScreenEA() ); 
addr = start; count = 0; 
while( addr < end ) { 
mnem = GetMnem( addr ); 

// Common VM detect instructions if( mnem == “sidt” || mnem == “sgdt” || mnem == “sldt” || mnem == “smsw” || mnem == “str” ) { Message( “%08x: Found %s\n”, addr, mnem );
SetColor( addr, CIC_ITEM, 0x0088ff ); // orange 

// Read Time Stamp Counter if( mnem == “rdtsc” ) { 
Message( “%08x: Found %s\n”, addr, mnem ); 
SetColor( addr, CIC_ITEM, 0xff8800 ); // blue 

// Exception Handling or other PEB/TEB access opnd = “”; 
opnd1 = GetOpnd( addr, 0 ); 
opnd2 = GetOpnd( addr, 1 ); 
if( strstr( opnd1, “fs:” ) > -1 ) { 
opnd = opnd1; 

else { 
if( strstr( opnd2, “fs:” ) > -1 ) opnd = opnd2; 
}
if( opnd != “” ) { 
Message( “%08x: Found %s\n”, addr, opnd ); 
SetColor( addr, CIC_ITEM, 0xff8888 ); // purple 

addr = NextHead( addr, BADADDR ); 
count = count + 1; 
}
Message( “Processed %d instructions from %08x to %08x\n”, count, start, end ); 
}

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: