GET /api/techniques/65/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"id": 65,
"key": "gettickcount",
"unprotect_id": "U0125,B0001.032",
"name": "GetTickCount",
"description": "This is typical timing function which is used to measure time needed to execute some function/instruction set. If the difference is more than fixed threshold, the process exits.\r\n\r\n`GetTickCount` reads from the `KUSER_SHARED_DATA` page. This page is mapped read-only into the user mode range of the virtual address and read-write in the kernel range. The system clock tick updates the system time, which is stored directly in this page.\r\n\r\n`ZwGetTickCount` is used the same way as `GetTickCount`. Using `KiGetTickCount` is faster than calling `ZwGetTickCount`, but slightly slower than reading from the `KUSER_SHARED_DATA` page directly.",
"resources": "https://researchcenter.paloaltonetworks.com/2015/10/ticked-off-upatre-malwares-simple-anti-analysis-trick-to-defeat-sandboxes/\nhttps://anti-debug.checkpoint.com/techniques/timing.html#kernel-timing",
"creation_date": "2019-03-18T13:36:32Z",
"tags": "gettickcount",
"modification_date": "2023-10-04T10:43:40.578000Z",
"category": [
3
],
"rules": [
28
],
"attachments": [],
"featured_api": [
413
],
"contributors": []
}
