- one of common evasion techniques that used by malwares is delays its basically delaying execution of malicious behavior in order to evade sandboxes and analysts , it can be very annoying to wait for the malware to do the full execution also analysing it in sandboxes can give you false result because sandboxes are programmed to simply wait and watch for a period of time this is why i made this program .
-
SleepSuspends the current thread until the specified condition is met. Execution resumes when one of the following occurs:-
An I/O completion callback function is called.
-
An asynchronous procedure call (APC) is queued to the thread.
-
The time-out interval elapses.
-
-
it takes 1 parameter
DWORDthat representdwMillisecondsor how many Milliseconds to wait and it doesnt return a value .
-
whenever
Sleepgets called it will jump toSleepExfromkernel32.dllto perform the execution its like a wrapper aroundSleepEx
-
first we patch
SleepandNOPthe jump then return instantly so no delay performed .-
Before
-
After
-
- malware may check to see if time was accelerated by getting the timestamp before and after the sleep then compare it ,if the malware gets false calculation, then the malware knows its get patched this trick i will make a bypass for it in the next updates.