Skip to content
Reverse Engineering
Anti-Analysisintermediate

RDTSC Timing Check

Using the RDTSC instruction to measure execution time and detect the slowdown caused by single-stepping or breakpoints in a debugger.

RDTSC (Read Time-Stamp Counter) reads the processor's cycle counter into EDX:EAX. By reading it twice and comparing the delta, code can detect the large time gap introduced when an analyst single-steps through instructions or hits a breakpoint.

How it works

asm
rdtsc
mov  esi, eax        ; t0
; ... protected code ...
rdtsc
sub  eax, esi        ; delta = t1 - t0
cmp  eax, 0x10000    ; threshold (~65k cycles)
ja   debugger_detected

Under normal execution the delta is a few hundred cycles. Under a debugger that single-steps, the delta explodes into the millions, tripping the threshold.

Detection & bypass

  • Patch the comparison: NOP the conditional jump or force the threshold high.
  • Hardware/VMM TSC offsetting: hypervisors can present a consistent TSC.
  • ScyllaHide offers a RDTSC emulation option that returns plausible deltas.

Statically, treat back-to-back rdtsc instructions bracketing a cmp/ja sequence as a strong timing-check signal.

Votes

Comments(0)