How do we sleep?

We do one of these:

• kernel32/kernelbase ! Sleep
• kernel32/kernelbase ! SleepEx
• ntdll ! ZwDelayExecution

but… not only.

Windows 10 offers more libs with more sleeping goodness:

• staterepository.core.dll ! sqlite3_win32_sleep
• winsqlite3.dll ! sqlite3_win32_sleep
• number of tools e.g. Visual Studio offer access to e_sqlite3.dll ! sqlite3_win32_sleep, Python to sqlite3.dll ! sqlite3_win32_sleep

These are actually identical SQLite functions exported by various libraries.

And then you may have LibreSSL on your system (c:\windows\system32\libcrypto.dll), so you can use:

• libcrypto.dll, sleep

All of them can be used as a lame anti-sandbox/anti-analysis alternative to traditional delay functions listed at the top of the post. And as a random, but lasting very long delay replacing a never ending loop in batch files, or if lucky, maybe even ping 127.0.0.1.

How?

By executing these APIs via rundll32:

• start /wait rundll32 kernel32.dll, Sleep
• start /wait rundll32 kernelbase.dll, Sleep
• start /wait rundll32 kernel32.dll, SleepEx
• start /wait rundll32 kernelbase.dll, SleepEx
• start /wait rundll32 staterepository.core.dll, sqlite3_win32_sleep
• start /wait rundll32 winsqlite3.dll, sqlite3_win32_sleep
• start /wait rundll32 sqlite3.dll, sqlite3_win32_sleep
• start /wait rundll32 e_sqlite3.dll, sqlite3_win32_sleep
• start /wait rundll32 libcrypto.dll, sleep

In these cases the argument to functions will be pretty high numbers (taken from stack and kinda random), but it’s not about logic, is it? 😉