timwhitez starred SleepKiller
2022-9-24 10:1:19 Author: github.com(查看原文) 阅读量:31 收藏

  • one of common evasion techniques that used by malwares is delays its basically delaying execution of malicious behavior in order to evade sandboxes and analysts , it can be very annoying to wait for the malware to do the full execution also analysing it in sandboxes can give you false result because sandboxes are programmed to simply wait and watch for a period of time this is why i made this program .
  • Sleep Suspends the current thread until the specified condition is met. Execution resumes when one of the following occurs:

    • An I/O completion callback function is called.

    • An asynchronous procedure call (APC) is queued to the thread.

    • The time-out interval elapses.

  • it takes 1 parameter DWORD that represent dwMilliseconds or how many Milliseconds to wait and it doesnt return a value .

    image

  • whenever Sleep gets called it will jump to SleepEx from kernel32.dll to perform the execution its like a wrapper around SleepEx

    image

  • first we patch Sleep and NOP the jump then return instantly so no delay performed .

    • Before

      image

    • After

      image

  • malware may check to see if time was accelerated by getting the timestamp before and after the sleep then compare it ,if the malware gets false calculation, then the malware knows its get patched this trick i will make a bypass for it in the next updates.

文章来源: https://github.com/ZeroMemoryEx/SleepKiller
如有侵权请联系:admin#unsafe.sh