CPUID

Created the Monday 11 March 2019. Updated 6 months, 2 weeks ago.

The CPUID instruction is a low-level command that allows you to retrieve information about the CPU that is currently running. This instruction, which is executed at the CPU level (using the bytecode 0FA2), is available on all processors that are based on the Pentium architecture or newer.

You can use the CPUID instruction to retrieve various pieces of information about the CPU, such as the brand of the CPU, the operating system, or the presence of a hypervisor. This is done by specifying the "leaf" information you want to retrieve (such as 0 for the brand of the CPU) in the EAX register, and then executing the instruction. The result will be returned in the EBX, EDX, and ECX registers as a string.

For example, when you request leaf information 0, you may see the brand of the CPU or the virtualization technology in use. Some common strings that you may see include "KVMKVMKVM" for KVM, "Microsoft Hv" for Hyper-V, "VMwareVMware" for VMware, and "GenuineIntel" for an Intel CPU.

The information returned by the CPUID instruction can vary depending on the platform and the specific CPU model.

Technique Identifiers

U1324 B0009.034

Featured Windows API's

Below, you will find a list of the most commonly used Windows API's that are currently utilized by malware authors for current evasion technique. This list is meant to provide an overview of the API's that are commonly used for this purpose. If there are any API's that you feel should be included on this list, please do not hesitate to contact us. We will be happy to update the list and provide any additional information or documentation that may be helpful.

memcmp

Code Snippets

Description

Original code available here: https://github.com/a0rtega/pafish/blob/master/pafish/cpu.c

/* Check hypervisor presence bit */
static inline int cpuid_hv_bit(){
    int ecx;
    __asm__ volatile("cpuid" \
        : "=c"(ecx) \
        : "a"(0x01));
    return (ecx>>31) & 0x1;
}
/* Get hypervisor name */
static inline void cpuid_hv_vendor_00(char * vendor){
    int ebx = 0, ecx = 0, edx = 0;
    __asm__ volatile("cpuid" \
        : "=b"(ebx), \
        : "=c"(ecx), \
        : "=d"(edx) \
        : "a"(0x40000000));
    sprintf(vendor, "%c%c%c%c", ebx, (ebx>>8), (ebx>>16), (ebx>>24));
    sprintf(vendor+4, "%c%c%c%c", ebx, (ebx>>8), (ebx>>16), (ebx>>24));
    sprintf(vendor+8, "%c%c%c%c", ebx, (ebx>>8), (ebx>>16), (ebx>>24));
    vendor[12] = 0x00;
}
void cpu_write_hv_vendor(char * vendor){
    cpuid_hv_vendor_00(vendor);
}
int cpu_known_vm_vendors(){
    const int count = 6;
    int i;
    char cpu_hv_vendor[13];
    strings strs[count];
    strs[0] = "KVMKVMKVM\0\0\0"; /* KVM */
    strs[1] = "Microsoft Hv"; /* Microsoft Hyper-V or Windows Virtual PC */
    strs[2] = "VMwareVMware"; /* VMware */
    strs[3] = "XenVMMXenVMM"; /* Xen */
    strs[4] = "prl hyperv"; */ Parallels */
    strs[5] = "VBoxVBoxVBox"; /* VirtualBox */
    cpu_write_hv_vendor(cpu_hv_vendor);
    for (i=0; i < count; i++){
        if (!memcmp(cpu_hv_vendor,strs[i], 12)) return TRUE;
    }
    return FALSE;
}

Description

This assembly code is using the CPUID instruction to check if the current processor is an Intel CPU. It moves the value 0 into the EAX register and then executes the CPUID instruction. It compares the value in the EDX register with a specific hexadecimal value to determine if the processor is an Intel CPU. If the comparison is true, it jumps to a specific label, otherwise, it exits the function. The preprocessor directive %ifdef NOSB_INTELONLY check if the symbol NOSB_INTELONLY is defined before the compilation, if it is defined, the code block following this directive will be included in the final executable.

%ifdef NOSB_INTELONLY
mov eax,0
cpuid
cmp edx,0x49656E69
je _isintel
ret
_isintel:
%endif

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.