├── README.md
└── detect.masm


/README.md:
--------------------------------------------------------------------------------
1 | VM Timing Detection found in crypter of Locky, counts cycles of functions to determine if running in a virtualized environment
2 | 


--------------------------------------------------------------------------------
/detect.masm:
--------------------------------------------------------------------------------
 1 | .686
 2 | .model flat, stdcall
 3 | option casemap:none
 4 | include \masm32\include\windows.inc
 5 | include \masm32\include\kernel32.inc
 6 | includelib \masm32\lib\kernel32.lib
 7 |  
 8 |  
 9 | .data
10 | init dd 0
11 | after_heap_call dd 0
12 | after_close_handle dd 0
13 |  
14 | total_iters dd 10
15 |  
16 | vm db "VMDetected.exe",0
17 |  
18 | .code
19 | start:
20 | xor ebx, ebx
21 | loop1:
22 | rdtsc
23 | mov init, eax
24 | invoke GetProcessHeap
25 | rdtsc
26 | mov after_heap_call, eax
27 | invoke CloseHandle, 0
28 | rdtsc
29 | sub eax, after_heap_call
30 | mov ecx, after_heap_call
31 | sub ecx, init
32 | xor edx,edx
33 | div ecx
34 | cmp eax, 0ah
35 | jb not_vm
36 | jmp outloop
37 | not_vm:
38 | inc ebx
39 | cmp ebx, total_iters
40 | jb loop1
41 | invoke CreateFile, addr vm,GENERIC_WRITE,FILE_SHARE_READ,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL
42 | invoke CloseHandle, eax
43 | outloop:
44 | ret 0
45 | end start
46 | 


--------------------------------------------------------------------------------