ayoubfaouzi · ayoubfaouzi · Jul 17, 2016 · Jul 17, 2016
diff --git a/README.md b/README.md
@@ -135,6 +135,7 @@ Please, if you encounter any of the anti-analysis tricks which you have seen in
 	- Interupt Descriptor Table (IDT) location
 	- Local Descriptor Table (LDT) location
 	- Global Descriptor Table (GDT) location
+	- Task state segment trick with STR
 
 - **MAC Address**
 	- "\x08\x00\x27" (VBOX)
@@ -209,11 +210,12 @@ Please, if you encounter any of the anti-analysis tricks which you have seen in
 - APC (QueueUserAPC / NtQueueApcThread)
 - RunPE (GetThreadContext / SetThreadContext)
 
+
 ## Contributors
 - [mrexodia](http://mrexodia.cf): Main developer of [x64dbg](http://x64dbg.com/)
 
-## References
 
+## References
 - An Anti-Reverse Engineering Guide By Josh Jackson.
 - Anti-Unpacker Tricks By Peter Ferrie.
 - The Art Of Unpacking By Mark Vincent Yason.

diff --git a/al-khaser/Al-khaser.cpp b/al-khaser/Al-khaser.cpp
@@ -31,7 +31,7 @@ int main(void)
 	//exec_check(&NtQueryObject_ObjectTypeInformation, TEXT("Checking NtQueryObject with ObjectTypeInformation : "));
 	//exec_check(&NtQueryObject_ObjectAllTypesInformation, TEXT("Checking NtQueryObject with ObjectAllTypesInformation : "));
 	//exec_check(&NtYieldExecutionAPI, TEXT("Checking NtYieldExecution : "));
-	// exec_check(&SetHandleInformatiom_ProtectedHandle, TEXT("Checking CloseHandle protected handle trick : "));
+	//exec_check(&SetHandleInformatiom_ProtectedHandle, TEXT("Checking CloseHandle protected handle trick : "));
 
 	/* Anti Dumping */
 	//print_category(TEXT("Anti Dumping"));
@@ -71,9 +71,10 @@ int main(void)
 	/* Generic sandbox detection */
 	//loaded_dlls();
 	//exec_check(&NumberOfProcessors, TEXT("Checking Number of processors in machine: "));
-	exec_check(&idt_trick, TEXT("Checking Interupt Descriptor Table location: "));
-	exec_check(&ldt_trick, TEXT("Checking Local Descriptor Table location: "));
-	exec_check(&gdt_trick, TEXT("Checking Global Descriptor Table location: "));
+	//exec_check(&idt_trick, TEXT("Checking Interupt Descriptor Table location: "));
+	//exec_check(&ldt_trick, TEXT("Checking Local Descriptor Table location: "));
+	//exec_check(&gdt_trick, TEXT("Checking Global Descriptor Table location: "));
+	exec_check(&str_trick, TEXT("Checking Global Descriptor Table location: "));
 
 
 	/* Code injections techniques */

diff --git a/al-khaser/Anti VM/Generic.cpp b/al-khaser/Anti VM/Generic.cpp
@@ -109,3 +109,25 @@ BOOL gdt_trick()
 		return FALSE;
 }
 
+
+/*
+The instruction STR (Store Task Register) stores the selector segment of the TR
+register (Task Register) in the specified operand (memory or other general purpose register).
+All x86 processors can manage tasks in the same way as an operating system would do it.
+That is, keeping the task state and recovering it when that task is executed again. All 
+the states of a task are kept in its TSS; there is one TSS per task. How can we know which
+is the TSS associated to the execution task? Using STR instruction, due to the fact that
+the selector segment that was brought back points into the TSS of the present task.
+In all the tests that were done, the value brought back by STR from within a virtual machine
+was different to the obtained from a native system, so apparently, it can be used as a another
+mechanism of a unique instruction in assembler to detect virtual machines.
+*/
+BOOL str_trick()
+{
+	UCHAR *mem = get_str_base();
+
+	if ((mem[0] == 0x00) && (mem[1] == 0x40))
+		return TRUE; // VMWare detected	
+	else
+		return FALSE;
+}
diff --git a/al-khaser/Anti VM/Generic.h b/al-khaser/Anti VM/Generic.h
@@ -8,4 +8,5 @@ VOID loaded_dlls();
 BOOL NumberOfProcessors();
 BOOL idt_trick();
 BOOL ldt_trick();
-BOOL gdt_trick();
+BOOL gdt_trick();
+BOOL str_trick();
diff --git a/al-khaser/Shared/Utils.cpp b/al-khaser/Shared/Utils.cpp
@@ -696,39 +696,55 @@ ULONG get_idt_base()
 }
 
 
-ULONG get_ldt_base()
+ULONG get_ldt_base()
 {
 	// Get the base of Local Descriptor Table (LDT)
-
-	UCHAR ldtr[5] = "\xef\xbe\xad\xde";
-	ULONG ldt = 0;
+
+	UCHAR ldtr[5] = "\xef\xbe\xad\xde";
+	ULONG ldt = 0;
 
 	// sldt instruction stores the contents of the LDT Register
 	// (the LDTR which points to the LDT) in a processor register.
-#if defined (ENV32BIT)
+#if defined (ENV32BIT)
 	_asm sldt ldtr
-#endif
+#endif
 	ldt = *((unsigned long *)&ldtr[0]);
-	printf("LDT base: 0x%x\n", ldt);
-
-	return ldt;
+	printf("LDT base: 0x%x\n", ldt);
+
+	return ldt;
 }
 
 
-ULONG get_gdt_base()
+ULONG get_gdt_base()
 {
 	// Get the base of Global Descriptor Table (GDT)
-
-	UCHAR gdtr[6];
+
+	UCHAR gdtr[6];
 	ULONG gdt = 0;
 
 	// sgdt instruction stores the contents of the GDT Register
 	// (the GDTR which points to the GDT) in a processor register.
-#if defined (ENV32BIT)
+#if defined (ENV32BIT)
 	_asm sgdt gdtr
-#endif
+#endif
 	gdt = *((unsigned long *)&gdtr[2]);
-	printf("GDT base: 0x%x\n", gdt);
-
-	return gdt;
+	printf("GDT base: 0x%x\n", gdt);
+
+	return gdt;
 }
+
+
+UCHAR* get_str_base()
+{
+	// get the selector segment of the TR register which points into
+	// the TSS of the present task. 
+
+	UCHAR mem[4] = {0, 0, 0, 0};
+
+#if defined (ENV32BIT)
+	__asm str mem;
+#endif
+
+	printf("STR base: 0x%02x%02x%02x%02x\n", mem[0], mem[1], mem[2], mem[3]);
+	return mem;
+}
diff --git a/al-khaser/Shared/Utils.h b/al-khaser/Shared/Utils.h
@@ -34,6 +34,7 @@ BOOL ExecWMIQuery(IWbemServices **pSvc, IWbemLocator **pLoc, IEnumWbemClassObjec
 ULONG get_idt_base();
 ULONG get_ldt_base();
 ULONG get_gdt_base();
+UCHAR* get_str_base();
 
 #define	MALLOC(x)	HeapAlloc(GetProcessHeap(), 0, x)
 #define FREE(x)		HeapFree(GetProcessHeap(), 0, x)