Analyzed with @vm_call and offered improvements to BattlEye's VM detection. It was surprising this was their only method to detect generic hypervisors.
https://vmcall.blog/battleye-hypervisor-detection/ …
-
Show this thread
-
Seems that there are two others found after more thorough analysis. Using xgetbv/xsetbv in a loop similar to the one in the article. XSETBV is an unconditionally exiting instruction so naturally it fits for the time based attack. 1/2
1 reply 0 retweets 4 likesShow this thread -
The other is using CPUID where EAX=0 to query CPU vendor information. For whatever reason, they loop these an exorbitant amount of times - 26,000 times. The rest of the code is virtualized with VMP - yikes. The perf overhead is extreme.
1 reply 0 retweets 4 likesShow this thread
Replying to @daax_rynd
shoe on head or we drop bypasses for these detections as well 
1:03 PM - 14 Jan 2020
0 replies
0 retweets
1 like
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.