fake rdtsc by changing TSD bit in cr4 and hooking int0D (GP)

When TSD bit is set rdtsc will become privileged instruction,
every execution of rdtsc from CPL != 0 and cr4.TSD == 1 
will generate Global Protection Fault (int0D).

idea is simple, hook int0D to check if exception is caused
withing user memory range, if so, check if instruction is 
rdtsc, if we have rdtsc then simple return from interupt and
set eax and edx to 0 prior to iretd.

This is sice, and olly compatible. Steping over rdtsc will
execute instruction after it without your control.

The answer is simple:

when exception occurs eflags and cs:eip are stored on stack.
If you were ssteping code T flag is set:

0023:F3EA6DC8 00000000  00401000  0000001B  00010346      ......@.....F...
                        ^^^^^^^^  ^^^^^^^^  ^^^^^^^^
                        eip       cs        eflags
                        
As you can see T flag is set, but when we return from interupt
T flag will be set again. T flag generates exception after
execution of one instruction. When we return from interupt,
execution of next instruction will trigger exception:

ssteping this code as example (T flag set prior to execution
of rdtsc opcode):

rdtsc                   <--- handled by int0d 
nop                     <--- T flag set        
jmp     __blah          <--- sstep exception occurs after nop
                             and debugger stops at jmp __blah
                             
That's it...

                                S verom u Boga, deroko/ARTeam
                                http://cracking.accessroot.com
                                
ps. You might see that this is nice trick, sstep rdtsc and edx:eax
will be set to 0 without any exception. 

000B  IntG32   0008:804E12CA  DPL=0  P   _KiTrap0B
000C  IntG32   0008:804E1530  DPL=0  P   _KiTrap0C
000D  IntG32   0008:F8C2D3FE  DPL=0  P   ring0!.text+017E
000E  IntG32   0008:804E1F25  DPL=0  P   _KiTrap0E
000F  IntG32   0008:804E225A  DPL=0  P   _KiTrap0F


 
