VirtualBox

Opened 7 years ago

Last modified 6 years ago

#17316 closed defect

Wrong instruction after single-step exception with 'rdtsc' — at Initial Version

Reported by: gim Owned by:
Component: VMM Version: VirtualBox 5.1.30
Keywords: rdtsc, tf Cc:
Guest type: Windows Host type: Linux

Description

There was bug 5 years ago (https://www.virtualbox.org/ticket/10947) and was fixed, but in current release still appears. Here slightly modified code with looping 1000000 times around RDTSC call with charged TF. If at least one call does not work correctly, a corresponding message is displayed: 

      .586
      .model flat, stdcall
      option casemap :none   ; case sensitive

      include \masm32\include\windows.inc
      include \masm32\include\kernel32.inc
      include \masm32\include\user32.inc
      includelib \masm32\lib\kernel32.lib
      includelib \masm32\lib\user32.lib
     
.data
Flag	dd 0
Address dd 0
Counter dd 0
szRight	db 'Flag Value is right!, address = 0x%lx, counter = %ld',0
szWrong	db 'Flag Value is wrong!, address = 0x%lx, counter = %ld',0
szMessage db 256 dup(0)
    
szInfo	db 'Info:'

.code
start:
	assume fs: nothing
test_loop:
	call @MyCode
	mov     ecx, dword ptr [esp+0Ch]
	mov 	ecx, dword ptr [ecx+0B8h]	;;Ecx = Seh.eip
        mov     Address, ecx
	.if ecx == offset @WrongExceptionEip
		mov Flag,0
	.else
		mov Flag,1
	.endif
	xor     eax, eax
	retn
	@MyCode:
	push    dword ptr fs:[0]
	mov     dword ptr fs:[0], esp
	push 397h             ;;Set Eflags
	popfd
	rdtsc
	@RightExceptionEip:		;;Normally,Seh.eip should be pointed here
	nop
	@WrongExceptionEip:		;;In Guest system,('Without' VT-X/AMD-V),Seh.eip is pointed here.But 'With' VT-X/AMD-V,Seh.eip is right.
        cmp Flag, 1
        jnz flag_wrong
        pop eax
        pop fs:[0]
        inc Counter
        cmp Counter, 1000000
        jnz test_loop
        invoke wsprintf,offset szMessage, offset szRight, Address, Counter
        jmp exit
flag_wrong:
        invoke wsprintf,offset szMessage, offset szWrong, Address, Counter
exit:
        invoke MessageBoxA,0,offset szMessage,offset szInfo,MB_OK
	invoke ExitProcess,0
end start

(compiled sample attached rdtsc.exe)

For example, in the real world, this misbehavior is used by the vmprotect to detect a virtual machine. I hope there is no good program crashing because of this misbehavior...

Change History (1)

by gim, 7 years ago

Attachment: rdtsc.exe added

compiled asm code

Note: See TracTickets for help on using tickets.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette