Hi all,
I have been looking at modifying the Real-Time Clock (RTC) in Windows under VirtualBox/VMWare. The whole purpose is so that I can trick malware into executing when it would otherwise delay its malicious execution. The threshold I'm looking to achieve is making 24 hours pass in 60 seconds. This may not be feasible, but it's a target.
I am currently sending an I/O to the CMOS to change the frequency of the rate in Register A like this:
Anyhow, this will only increase the RTC so far (8khz probably). It's quite fast, but I'd like to push it faster for malware analysis.
I've also tried modifying KUSER_SHARED_DATA for manipulating tick counts and system time, but I don't seem to be able to interfere with the interrupt time there. Is there a reason why? I suppose I could do a PTE hook for each process but I don't want to hook anything as I'd like the potential for this to be compatible with x64 systems with PG. So even if I can trick the system into thinking the tick count and system time are going faster, anything that uses Sleep/DelayExecution will function as normal.
What else could I modify (maybe in kernel memory?) or execute that would do this? Could I send an int 70h to update the clock? Could I modify a value that Windows uses to increment the time more than it should? Is this a stupid idea in the first place?
Thanks!
I have been looking at modifying the Real-Time Clock (RTC) in Windows under VirtualBox/VMWare. The whole purpose is so that I can trick malware into executing when it would otherwise delay its malicious execution. The threshold I'm looking to achieve is making 24 hours pass in 60 seconds. This may not be feasible, but it's a target.
I am currently sending an I/O to the CMOS to change the frequency of the rate in Register A like this:
Code: Select all
I'm actually doing it slightly cleaner than that, taking into consideration how you are supposed to query and update the CMOS registers._outp(0x70, 0x0A); // Select "register A"
_outp(0x71, 0x03); // Modify "register A" to 3 (00000011)
Anyhow, this will only increase the RTC so far (8khz probably). It's quite fast, but I'd like to push it faster for malware analysis.
I've also tried modifying KUSER_SHARED_DATA for manipulating tick counts and system time, but I don't seem to be able to interfere with the interrupt time there. Is there a reason why? I suppose I could do a PTE hook for each process but I don't want to hook anything as I'd like the potential for this to be compatible with x64 systems with PG. So even if I can trick the system into thinking the tick count and system time are going faster, anything that uses Sleep/DelayExecution will function as normal.
What else could I modify (maybe in kernel memory?) or execute that would do this? Could I send an int 70h to update the clock? Could I modify a value that Windows uses to increment the time more than it should? Is this a stupid idea in the first place?
Thanks!
