Sleeping DLL beauties

February 4, 2020 in Random ideas, Silly, Undocumented Windows Internals

How do we sleep?

We do one of these:

  • kernel32/kernelbase ! Sleep
  • kernel32/kernelbase ! SleepEx
  • ntdll ! ZwDelayExecution

but… not only.

Windows 10 offers more libs with more sleeping goodness:

  • staterepository.core.dll ! sqlite3_win32_sleep
  • winsqlite3.dll ! sqlite3_win32_sleep
  • number of tools e.g. Visual Studio offer access to e_sqlite3.dll ! sqlite3_win32_sleep, Python to sqlite3.dll ! sqlite3_win32_sleep

These are actually identical SQLite functions exported by various libraries.

And then you may have LibreSSL on your system (c:\windows\system32\libcrypto.dll), so you can use:

  • libcrypto.dll, sleep

All of them can be used as a lame anti-sandbox/anti-analysis alternative to traditional delay functions listed at the top of the post. And as a random, but lasting very long delay replacing a never ending loop in batch files, or if lucky, maybe even ping 127.0.0.1.

How?

By executing these APIs via rundll32:

  • start /wait rundll32 kernel32.dll, Sleep
  • start /wait rundll32 kernelbase.dll, Sleep
  • start /wait rundll32 kernel32.dll, SleepEx
  • start /wait rundll32 kernelbase.dll, SleepEx
  • start /wait rundll32 staterepository.core.dll, sqlite3_win32_sleep
  • start /wait rundll32 winsqlite3.dll, sqlite3_win32_sleep
  • start /wait rundll32 sqlite3.dll, sqlite3_win32_sleep
  • start /wait rundll32 e_sqlite3.dll, sqlite3_win32_sleep
  • start /wait rundll32 libcrypto.dll, sleep

In these cases the argument to functions will be pretty high numbers (taken from stack and kinda random), but it’s not about logic, is it? 😉

Share this :)

Comments are closed.