Friday, December 6, 2013

VM Code protection benchmark

After having seen a discussion on /r/ReverseEngineering/ regarding the amount of executed instructions in applications protected by popular code virtualization tools, I've decided to benchmark the execution time. Benchmarked application has been protected with CodeVirtualizer, VMProtect and Themida. All three of them have been tested with the lightest and most complex VM settings. I will benchmark x86obf when it's finished and Enigma Protect if I ever decide to get a license for it.

I wanted to benchmark virtualization of arithmetic/logical operations, but floating point operations as well. The benchmark tool is nothing fancy and could have probably been better, but I think it's enough for some general view on the speeds. The arithmetic/logical test is an MD5 computation and floating point is a loop of some floating point math which makes no real sense.

This is the test application's source code: http://pastie.org/8534270

All three protection tools have been tested  with lightest VM settings available and also with the most complex configuration. Anti-debugging, packing, anti-dumping and other protection options have been disabled. Below is an image showing results of the benchmark (click to enlarge). The slowdown column tells how many times slower the virtualized code was compared to native code with no protection. The commas are there for easier reading, they are not decimal separators (1,329 means 1329 times slower).