Anti-analysis/sleep_time.c at main · 0xi6r/Anti-analysis · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
/*
  * This technique measures the actual time elapsed during a sleep instruction. Malware calls a function
  * like Sleep(10000) to pause for 10 seconds. Automated sandboxes often accelerate or "fast-forward" through
  * such delays to speed up analysis. By checking the real-world clock before and after the sleep, malware
  * can detect a significant discrepancy. If the measured time is far less than requested, it indicates a
  * sandbox environment.
  */

#include <windows.h>
#include <stdio.h>

int main() {
    LARGE_INTEGER startTime, endTime, frequency;
    double elapsedSeconds;
    int sleepMillis = 10000; // Requested sleep: 10 seconds

    // Get the performance counter frequency for high-resolution timing
    QueryPerformanceFrequency(&frequency);

    // Get the current counter value (start time)
    QueryPerformanceCounter(&startTime);

    // Request a standard sleep
    Sleep(sleepMillis);

    // Get the counter value after sleep (end time)
    QueryPerformanceCounter(&endTime);

    // Calculate elapsed time in seconds
    elapsedSeconds = (double)(endTime.QuadPart - startTime.QuadPart) / (double)frequency.QuadPart;

    // Convert requested sleep to seconds for comparison
    double requestedSeconds = sleepMillis / 1000.0;

    // Check for significant deviation (e.g., less than 80% of requested time)
    double threshold = requestedSeconds * 0.8;

    printf("[*] Requested Sleep: %.2f seconds\n", requestedSeconds);
    printf("[*] Actual Measured Sleep: %.2f seconds\n", elapsedSeconds);

    if (elapsedSeconds < threshold) {
        printf("[!] Sleep time deviation detected.\n");
        printf("[!] Sandbox likely accelerated execution. Exiting.\n");
        return 1; // Exit as potential sandbox
    } else {
        printf("[*] Sleep timing appears normal.\n");
    }

    return 0;
}