diff --git a/README.md b/README.md index 34293c5..d1bacb1 100644 --- a/README.md +++ b/README.md @@ -99,7 +99,7 @@ Please, if you encounter any of the anti-analysis tricks which you have seen in - SetTimer (Standard Windows Timers) - timeSetEvent (Multimedia Timers) - WaitForSingleObject -> WaitForSingleObjectEx -> NtWaitForSingleObject -- WaitForMultipleObjects -> WaitForMultipleObjectsEx -> NtWaitForMultipleObjects (todo) +- WaitForMultipleObjects -> WaitForMultipleObjectsEx -> NtWaitForMultipleObjects - IcmpSendEcho (CCleaner Malware) - CreateWaitableTimer - CreateTimerQueueTimer @@ -279,13 +279,14 @@ Please, if you encounter any of the anti-analysis tricks which you have seen in ### Anti-Analysis - **Processes** - - OllyDBG / ImmunityDebugger / WinDbg / IDA Pro / X64dbg / Cheat Enigne + - OllyDBG / ImmunityDebugger / WinDbg / IDA Pro / X64dbg / Cheat Engine - SysInternals Suite Tools (Process Explorer / Process Monitor / Regmon / Filemon, TCPView, Autoruns) - Wireshark / Dumpcap / Fiddler / Http Debugger - ProcessHacker / SysAnalyzer / HookExplorer / SysInspector - ImportREC / PETools / LordPE - JoeBox Sandbox - Resource Hacker + - Frida ### Anti-Disassembly - Jump with constant condition diff --git a/al-khaser/Al-khaser.cpp b/al-khaser/Al-khaser.cpp index 9895fbf..e05c92d 100644 --- a/al-khaser/Al-khaser.cpp +++ b/al-khaser/Al-khaser.cpp @@ -328,6 +328,7 @@ int main(int argc, char* argv[]) exec_check(timing_SetTimer, delayInMillis, TEXT("Delaying execution using SetTimer ...")); exec_check(timing_timeSetEvent, delayInMillis, TEXT("Delaying execution using timeSetEvent ...")); exec_check(timing_WaitForSingleObject, delayInMillis, TEXT("Delaying execution using WaitForSingleObject ...")); + exec_check(timing_WaitForMultipleObjects, delayInMillis, TEXT("Delaying execution using WaitForMultipleObjects ...")); exec_check(timing_IcmpSendEcho, delayInMillis, TEXT("Delaying execution using IcmpSendEcho ...")); exec_check(timing_CreateWaitableTimer, delayInMillis, TEXT("Delaying execution using CreateWaitableTimer ...")); exec_check(timing_CreateTimerQueueTimer, delayInMillis, TEXT("Delaying execution using CreateTimerQueueTimer ...")); diff --git a/al-khaser/AntiAnalysis/process.cpp b/al-khaser/AntiAnalysis/process.cpp index 25377bf..4c70ebd 100644 --- a/al-khaser/AntiAnalysis/process.cpp +++ b/al-khaser/AntiAnalysis/process.cpp @@ -43,6 +43,8 @@ VOID analysis_tools_process() _T("cheatengine-i386.exe"), // Cheat Engine _T("cheatengine-x86_64.exe"), // Cheat Engine _T("cheatengine-x86_64-SSE4-AVX2.exe"), // Cheat Engine + _T("frida-helper-32.exe"), // Frida + _T("frida-helper-64.exe"), // Frida }; WORD iLength = sizeof(szProcesses) / sizeof(szProcesses[0]); diff --git a/al-khaser/TimingAttacks/timing.cpp b/al-khaser/TimingAttacks/timing.cpp index 431c591..1614c0f 100644 --- a/al-khaser/TimingAttacks/timing.cpp +++ b/al-khaser/TimingAttacks/timing.cpp @@ -117,6 +117,35 @@ BOOL timing_WaitForSingleObject(UINT delayInMillis) return FALSE; } +BOOL timing_WaitForMultipleObjects(UINT delayInMillis) { + HANDLE hThread; + DWORD i, dwEvent, dwThreadID; + + // Create two event objects + + for (i = 0; i < 2; i++) + { + ghEvents[i] = CreateEvent( + NULL, // default security attributes + FALSE, // auto-reset event object + FALSE, // initial state is nonsignaled + NULL); // unnamed object + + if (ghEvents[i] == NULL) + { + print_last_error(_T("CreateEvent")); + return TRUE; + } + } + + dwEvent = WaitForMultipleObjects( + 2, // number of objects in array + ghEvents, // array of objects + FALSE, // wait for any object + delayInMillis); // delay in milliseconds + + return FALSE; +} BOOL timing_sleep_loop (UINT delayInMillis) { diff --git a/al-khaser/TimingAttacks/timing.h b/al-khaser/TimingAttacks/timing.h index 7b18084..4523d21 100644 --- a/al-khaser/TimingAttacks/timing.h +++ b/al-khaser/TimingAttacks/timing.h @@ -4,6 +4,7 @@ BOOL timing_SetTimer(UINT delayInMillis); BOOL timing_NtDelayexecution(UINT delayInMillis); BOOL timing_timeSetEvent(UINT delayInMillis); BOOL timing_WaitForSingleObject(UINT delayInMillis); +BOOL timing_WaitForMultipleObjects(UINT delayInMillis); BOOL timing_sleep_loop(UINT delayInMillis); BOOL rdtsc_diff_locky(); BOOL rdtsc_diff_vmexit();