Bug for Trap Flag simulation

[Maladiy]

When I added debugger and VM protection with vmprotect

and set EMULATE_SINGLE_STEP=True

ANTIDEBUG=1
ANTIVM=0
EMULATE_HYPERV=False
EMULATE_SINGLE_STEP=True

I found that a VM was detected.

It was strange because I was not running in a VM. To figure out why this happened, I looked at the leak source code of vmprotect and found a detection as shown below. https://github.com/jmpoep/vmprotect-3.5.1/blob/master/runtime/loader.cc#L2514

This is a common VM detection. https://howtohypervise.blogspot.com/2019/01/a-common-missight-in-most-hypervisors.html
I wrote code to verify whether tiny_tracer passed this test.

	uint8_t mem_val;
	__try 
	{
		// set T flag
		__writeeflags(__readeflags() | 0x100);
		__nop();
		__nop();
		
		printf("Debugger Found\n");
	}
	__except (mem_val = *static_cast<uint16_t*>((GetExceptionInformation())->ExceptionRecord->ExceptionAddress), EXCEPTION_EXECUTE_HANDLER) 
	{
		if (mem_val != 0x90)
		{
			printf("Virtual Machine Found\n");
			printf("mem_val:0x%x\n", mem_val);
		}
	}

	printf("Check done\n");

Unfortunately tiny_tracer had an error when simulating the Trap Flag.

[hasherezade]

Hi @Maladiy ! Thank you for your report. Please check the latest patch, it should help.

Let me know if everything is ok.

[Maladiy]

Thanks a lot. I tested tiny_tracer and it works well.