Antivirus dynamic shell code execution

[rickshaw5724]

Environment

NetMQ Version:    4.0.1.13
Operating System: Windows 10
.NET Version:     .Net 6

Expected behavior

I would like to be able to have an option to force the NetMQ.Core.Utils.Clock's s_rdtscSupported to false, and therefore always fall back to using Stopwatch.GetTimestamp. As an idea add this Boolean:

public class SocketOptions
{
        /// <summary>
        /// If set, the time stamp counter is not read directly through opcode injection, rather
        /// <see cref="System.Diagnostics.Stopwatch.GetTimestamp"/> is used.
        /// </summary>
        public static bool DoNotUseRDTSC;

Then in Opcode.Open

        public static bool Open()
        {
            if (SocketOptions.DoNotUseRDTSC)
                return false;

Actual behavior

The method of injecting opcode into memory and invoking it to read the time stamp counter is being detected as dynamic shellcode by some anti-malware such as Sophos. When detected, the process executing the code is terminated. The detection as malware occurs when the Opcode.Open method is called and the s_codeBuffer is allocated with EXECUTE_READWRITE.

Steps to reproduce the behavior

Bind a publish socket to a tcp URL when running on a system protected by Sophos. Unfortunately, my companies corporate IT has deployed this feature everywhere and I can't argue it is able to detect actual malware scenarios. But I have a large engineering community where ZeroMQ is going to become more prevalent.

[drewnoakes]

Sounds reasonable. Can you submit a PR?

[rickshaw5724]

Sure, just submitted one.

[drewnoakes]

1072