CPU Counting

Created the Sunday 29 January 2023. Updated 11 months, 1 week ago.

In many sandboxes, due to virtualization constraints, the number of CPUs may be limited to one. However, in the real world, all x86 CPUs have been sold with multiple cores or at least hyperthreading for over a decade.

As a result, it is sometimes possible to detect virtualization or sandboxing by examining the number of CPUs on the system. This information can be obtained without making API calls, simply by checking the PEB, which holds this information. The presence of hyperthreading can also be detected by directly asking the CPU using the CPUID instruction.

Technique Identifiers

U1340 B0009.018

Technique Tags

Sandbox virtualization constraint CPU count workstations servers x86 CPU multi-core hyperthreading virtualization detection Windows API WMI registry PEB hyperthreading detection CPUID instruction

Code Snippets

Description

This code snippet is written in assembly language and is used to detect the hyperthreading capacity and number of CPUs in a system.

For detecting hyperthreading capacity, the code sets EAX to 1 to access the leaf processor info and feature bits. It then calls CPUID instruction, shifts the 28th bit (which is the hyperthread bit on Intel processors), and clears other bits with an AND instruction. If the result in EDX is 0, it means that the system does not have hyperthreading capacity.

For detecting the number of CPUs, the code retrieves the Processor Environment Block (PEB) and gets the CPU count information stored at an offset. It then decrements the value and checks if it is not equal to zero. If it is not equal to zero, it means that there is more than one CPU in the system.

Detect hypertreading capacity through CPUID
   mov eax, 1 ; Set EAX to 1 in order to access to the leaf processor info and feature bits
   cpuid ; call cpuid
   shr edx,28 ; shift the bit 28 ( which is hypertread bit on intel )
   and edx,1 ; cleanup
   ; 0 in edx means no hyperthearding capacity.

Detect unique cpu through PEB
   mov   eax, [fs:0x30]    ; Get PEB
   mov   eax,[eax+0x64]    ; Get Cpu Count
   dec   eax
   jnz   _isnot_pebuniq    ; If eax = 0 , we have only one CPU
   ret

CPU Counting

Technique Identifiers

Technique Tags

Code Snippets

Subscribe to our Newsletter