{"id":20745749,"url":"https://github.com/hyperdbg/trm-results","last_synced_at":"2026-02-27T19:03:42.485Z","repository":{"id":211696124,"uuid":"721571729","full_name":"HyperDbg/TRM-results","owner":"HyperDbg","description":"General evaluation results of TRM (The Reversing Machine)","archived":false,"fork":false,"pushed_at":"2024-10-04T14:28:21.000Z","size":18873,"stargazers_count":1,"open_issues_count":0,"forks_count":2,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-04-24T06:49:02.351Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/HyperDbg.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-11-21T10:39:53.000Z","updated_at":"2024-10-04T14:28:26.000Z","dependencies_parsed_at":"2024-04-24T06:47:50.694Z","dependency_job_id":"37c68163-fcc0-45cc-8d7d-bf2771b6b13a","html_url":"https://github.com/HyperDbg/TRM-results","commit_stats":null,"previous_names":["hyperdbg/trm-results"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HyperDbg%2FTRM-results","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HyperDbg%2FTRM-results/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HyperDbg%2FTRM-results/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HyperDbg%2FTRM-results/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/HyperDbg","download_url":"https://codeload.github.com/HyperDbg/TRM-results/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250580712,"owners_count":21453531,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-17T07:22:29.707Z","updated_at":"2026-02-27T19:03:42.480Z","avatar_url":"https://github.com/HyperDbg.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# TRM-results\n\nThis repository contains different results for the TRM (The Reversing Machine) paper.\n\n## The compiled version of code (Compilation)\n\nThis directory contains compilations of example codes using different compilers and architecture (x86, x64).\n\nThe compilers are listed below:\n\n| Compiler              | Architecture |\n|-----------------------|--------------|\n| Intel oneAPI C++      | x86/x64      |\n| LLVM-clang            | x86/x64      |\n| Microsoft MSVC        | x86/x64      |\n| PellesC               | x64          |\n| TDM-GCC               | x86/x64      |\n| TinyCC                | x86/x64      |\n\n## Different forms of memory allocations (DifferentUserMemoryAllocations)\n\nThis directory contains code that uses different functions/methods for allocating memory.\n\n| Function Name      | Category               |\n|--------------------|------------------------|\n| `malloc`           | Standard C Library     |\n| `calloc`           | Standard C Library     |\n| `realloc`          | Standard C Library     |\n| `LocalAlloc`       | Windows API            |\n| `GlobalAlloc`      | Windows API            |\n| `VirtualAlloc`     | Windows API            |\n| `MapViewOfFile`    | Windows API            |\n| `HeapAlloc`        | Windows API            |\n| `CoTaskMemAlloc`   | COM Memory Allocator   |\n\n\n## Malware evasion techniques (In-memory)\n\nThis directory contains different implementations of malware evasion techniques (Using an obfuscated version of [mimikatz](https://github.com/gentilkiwi/mimikatz)).\n\n| Technique                          | Detail Ref.                            |\n|------------------------------------|----------------------------------------|\n| APC Code Injection                 | ***                                    |\n| Early bird APC Code Injection      | (CreateProcessA -\u003e WriteProcessMemory -\u003e QueueUserAPC -\u003e ResumeThread) |\n| Process Injection                  | (OpenProcess -\u003e VirtualAllocEx -\u003e WriteProcessMemory -\u003e CreateRemoteThread, NtCreateThreadEx, or RtlCreateUserThread) |\n| Load PE From Resource              | (FindResource -\u003e SizeofResource -\u003e LoadResource -\u003e VirtualAlloc) |\n| Reflective DLL Injection           | ***                                    |\n| Module Stomping                    | ***                                    |\n| Process Hollowing                  | ***                                    |\n| Process Doppelgänging              | ***                                    |\n| Transacted Hollowing               | ***                                    |\n| Process Herpaderping               | ***                                    |\n| Process Ghosting                   | ***                                    |\n| Phantom DLL Hollowing              | ***                                    |\n| Custom XOR Encoder/Decoder         | Custom Encoder/Decoder                 |\n| Process Reimaging                  | ***                                    |\n| Module Execution Through Fibers    | (ConvertThreadToFiber -\u003e VirtualAlloc -\u003e CreateFiber) |\n| Module Execution Through Thread Pool | (CreateEvent -\u003e VirtualAlloc -\u003e CreateThreadpoolWait -\u003e SetThreadpoolWait) |\n| Window Hooking                     | (LoadLibraryA -\u003e GetProcAddress -\u003e SetWindowsHookEx) |\n| Map View of Section                | (NtCreateSection -\u003e NtMapViewOfSection -\u003e RtlCreateUserThread) |\n\n***: Discussed comprehensively in the paper. \n\n## Longest Common Memory Address Pattern (LCMAP)\n\nThe implementation of the proposed Longest Common Memory Address Pattern (LCMAP) algorithm, discussed in the paper.\n\n```plaintext\nfunction findLCMAP(P, P', tau)\n    input:\n        P   // First memory address pattern\n        P'  // Second memory address pattern\n        tau // Memory alignment threshold\n    output:\n        Result // LCMAP of the input patterns\n\n    m, n \u003c- len(P), len(P')           // Sizes of the input patterns\n    D \u003c- zeros(m, n)                        // Initialize m x n zero matrix\n\n    for i from 1 to m do\n        for j from 1 to n do\n            if near(P[i-1], P'[j-1], tau) then\n                D[i, j] \u003c- D[i-1, j-1] + 1  // Signature matched\n            else\n                D[i, j] \u003c- 0                // Signature not matched\n\n    L \u003c- max(D)                             // Length of the LCMAP\n    I \u003c- min{i | D[i, j] = L}               // Tail address of the LCMAP\n    Result \u003c- [P[I-L+1], ..., P[I]]         // The LCMAP\n    return Result\n```\n\n## Reconstruction of `nt!_EPROCESS` (StructureReconstruction)\n\nThis directory contains an example of a reconstructed kernel-mode structure (`nt!_EPROCESS`) along with the actual structure retrieved from the Microsoft public symbol server.\n\n## Sequence Interpreter (sequence-interpreter)\n\nThis directory contains the source of the memory access sequence interpreter (based on logs gathered from TRM).\n\n## CPUID Prime+Probe (CpuidPrimeAndProbe)\n\nThis directory contains the source of the timing thread technique used in detecting the presence of a hypervisor without using any VM-exit (e.g., using RDTSC/P) instructions.\n\n## Performance artifacts (perf-artifacts)\n\nThis directory contains code that is used to compare the performance.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhyperdbg%2Ftrm-results","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhyperdbg%2Ftrm-results","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhyperdbg%2Ftrm-results/lists"}