How do we sleep?<\/p>\n\n\n\n
We do one of these:<\/p>\n\n\n\n
but… not only.<\/p>\n\n\n\n
Windows 10 offers more libs with more sleeping goodness:<\/p>\n\n\n\n
These are actually identical SQLite functions exported by various libraries. <\/p>\n\n\n\n
And then you may have LibreSSL on your system (c:\\windows\\system32\\libcrypto.dll), so you can use:<\/p>\n\n\n\n
All of them can be used as a lame anti-sandbox\/anti-analysis alternative to traditional delay functions listed at the top of the post. And as a random, but lasting very long delay replacing a never ending loop in batch files, or if lucky, maybe even ping 127.0.0.1. <\/p>\n\n\n\n
How? <\/p>\n\n\n\n
By executing these APIs via rundll32:<\/p>\n\n\n\n
In these cases the argument to functions will be pretty high numbers (taken from stack and kinda random), but it’s not about logic, is it? \ud83d\ude09<\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
How do we sleep? We do one of these: kernel32\/kernelbase ! Sleep kernel32\/kernelbase ! SleepEx ntdll ! ZwDelayExecution but… not only. Windows 10 offers more libs with more sleeping goodness: staterepository.core.dll ! sqlite3_win32_sleep winsqlite3.dll ! sqlite3_win32_sleep number of tools e.g. … Continue reading