PoC for a new sleep obfuscation technique (based on Ekko) leveraging waitable timers to RC4 encrypt the current process and change the permissions from RW to RX to evade memory scanners.
A more detailed explanation will be available in the blog post.
To use it, all you have to do is to include Cronos in your project and use it like so:
#include "Cronos.h"
int main() {
int timesToExecute = 1337;
int seconds = 10;
for (int i = 0; i < timesToExecute; i++) {
CronosSleep(seconds);
// YOUR CODE HERE!
}
}To compile it you will need:
After you have all of the above, navigate to the project's directory and build it with the makefile, the EXE will be in the bin directory.
-
- Run install_script.bat
-
Add NASMPATH environment variable
- NASMPATH=C:\Users<user>\AppData\Local\bin\NASM\
-
Open Visual Studio & Configure Settings
- Tools > Options > Projects and Solutions > VC++ Project Settings > Build Customization Search Path
- Set to %NASMPATH%;0
-
You can also install the AsmDude extension for syntax highlighting into .ASM files.
Thanks a lot to those people that contributed to this project: