Cronos

This project was co-authored by

Description

PoC for a new sleep obfuscation technique (based on Ekko) leveraging waitable timers to RC4 encrypt the current process and change the permissions from RW to RX to evade memory scanners.

A more detailed explanation will be available in the blog post (COMING SOON).

Usage

To use it, all you have to do is to include Cronos in your project and use it like so:

#include "Cronos.h"

int main() {
    int timesToExecute = 1337;
    int seconds = 10;

    for (int i = 0; i < timesToExecute; i++) {
        CronosSleep(seconds);

        // YOUR CODE HERE!
    }
}

Setup

To compile it you will need:

• NASM
• make
• VisualStudio Compiler

After you have all of the above, navigate to the project’s directory and build it with the makefile, the EXE will be in the bin directory.

Visual Studio Setup

• VSNASM

  • Run install_script.bat

• Add NASMPATH environment variable

  • NASMPATH=C:\Users<user>\AppData\Local\bin\NASM\

• Open Visual Studio & Configure Settings

  • Tools > Options > Projects and Solutions > VC++ Project Settings > Build Customization Search Path
  • Set to %NASMPATH%;0

• You can also install AsmDude extension for syntax highlighting into .asm files.

Contributors

Thanks a lot to those people that contributed to this project:

• Orca

• Xenov-X

Resources

• Ekko
• DeathSleep
• Waitable Timers

原文始发于GitHub：Cronos：一种对抗内存扫描的新的睡眠时混淆技术