├── .gitignore ├── README.md ├── Makefile ├── generate.sh ├── hashname.py ├── LICENSE ├── nop.asm ├── macro.asm ├── dllmgt.asm └── nosandbox.asm /.gitignore: -------------------------------------------------------------------------------- 1 | nop.exe 2 | nop.obj 3 | cust_config.inc 4 | config.inc 5 | hashs.inc 6 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | No_Sandboxes 2 | ============ 3 | 4 | Test suite for bypassing Malware sandboxes. 5 | 6 | 7 | Need : 8 | Python3 9 | Yasm 10 | PeLinker 11 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | LINK_DIR = ../masm32/bin 2 | 3 | 4 | nop: hashsinc 5 | echo "#Config"> config.inc 6 | cat cust_config.inc >> config.inc 7 | yasm -f win32 -m x86 nop.asm -o nop.obj 8 | wine $(LINK_DIR)/polink /ENTRY:start /SUBSYSTEM:WINDOWS $(LINK_DIR)/../lib/user32.lib $(LINK_DIR)/../lib/kernel32.lib nop.obj /verbose 2>/dev/null 9 | 10 | all: nop 11 | 12 | 13 | clean: 14 | -rm -f nop.obj cust_config.inc nop.exe hashs.inc config.inc 15 | 16 | # DLL and Function hash generator 17 | hashsinc: hashname.py 18 | ./hashname.py 19 | 20 | 21 | -------------------------------------------------------------------------------- /generate.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | techniques=( NOSB_RDTSCLOOP NOSB_INTELONLY NOSB_NOL1ICACHE NOSB_HYPERBIT NOSB_UNSLEAF NOSB_PEBCOUNT NOSB_RENAMED NOSB_ROGUEDLL NOSB_HOOKPROC NOSB_HYPSTR ) 4 | 5 | mkdir out 6 | make clean 7 | make 8 | cp nop.exe out/NOP_NOTHING.exe 9 | 10 | for i in "${techniques[@]}" 11 | do 12 | echo "---> Compiling $i" 13 | make clean 14 | echo "%define $i True" > cust_config.inc 15 | make 16 | cp nop.exe ./out/NOP_$i.exe 17 | done 18 | 19 | chmod -x *.exe 20 | echo " " 21 | echo " " 22 | echo " " 23 | echo "---------------------------------------" 24 | ls -l out/*.exe 25 | echo " " 26 | md5sum out/*.exe 27 | 28 | -------------------------------------------------------------------------------- /hashname.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import random 3 | 4 | STRINGS = [ 'WriteProcessMemory' , 'GetTickCount', 'NOP_NOSB_RENAMED.exe' , 'WS2_32.dll', 'ntdll.dll', 'kernel32.dll', 'MessageBoxA', 'LoadLibraryA', 'user32.dll' ] 5 | 6 | def ROR(x, n,bits=32): 7 | mask = (2L**n) - 1 8 | mask_bits = x & mask 9 | return (x >> n) | (mask_bits << (32 - n)) 10 | 11 | def ROL(x, n, bits=32): 12 | return ROR(x, bits - n, bits) 13 | 14 | HASH_SFT = random.randrange(30)+1 15 | include = ('HASH_SFT equ 0x%X\n' % (HASH_SFT)) 16 | 17 | for ITEMS in STRINGS: 18 | code=0 19 | for char in ITEMS.upper(): 20 | code = code ^ ord(char) 21 | code = ROL(code , HASH_SFT) 22 | include = include + ('HASH_%s equ 0x%X\n' % (ITEMS.upper(),code)) 23 | 24 | print "* Hashing strings" 25 | print include 26 | with open('hashs.inc', 'w') as f: 27 | f.write(include) 28 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | This is free and unencumbered software released into the public domain. 2 | 3 | Anyone is free to copy, modify, publish, use, compile, sell, or 4 | distribute this software, either in source code form or as a compiled 5 | binary, for any purpose, commercial or non-commercial, and by any 6 | means. 7 | 8 | In jurisdictions that recognize copyright laws, the author or authors 9 | of this software dedicate any and all copyright interest in the 10 | software to the public domain. We make this dedication for the benefit 11 | of the public at large and to the detriment of our heirs and 12 | successors. We intend this dedication to be an overt act of 13 | relinquishment in perpetuity of all present and future rights to this 14 | software under copyright law. 15 | 16 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 17 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 18 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 19 | IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR 20 | OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, 21 | ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR 22 | OTHER DEALINGS IN THE SOFTWARE. 23 | 24 | For more information, please refer to 25 | 26 | -------------------------------------------------------------------------------- /nop.asm: -------------------------------------------------------------------------------- 1 | 2 | ;  Macro & Constantes defintions 3 | %define NULL 0 4 | %define HASH_NOSB_RENAMED.EXE $HASH_NOP_NOSB_RENAMED.EXE 5 | 6 | %macro invoke 2-* 7 | extern %1 8 | %rotate %0-1 9 | %rep %0-1 10 | push %1 11 | %rotate -1 12 | %endrep 13 | %rotate %0 14 | call %1 15 | %endmacro 16 | 17 | %macro invokel 2-* 18 | %rotate %0-1 19 | %rep %0-1 20 | push %1 21 | %rotate -1 22 | %endrep 23 | %rotate %0 24 | call %1 25 | %endmacro 26 | 27 | ; Data section 28 | section .data 29 | txt1 db "I am probably in a real PC",0 30 | str_user32 db "user32.dll",0 31 | PEB dd 0x0 32 | 33 | 34 | FN_LOADLIBRARY dd 0 35 | FN_MSGBOX dd 0 36 | 37 | %include "hashs.inc" 38 | %include "cust_config.inc" 39 | 40 | ; Code Section 41 | section .code 42 | GLOBAL _start 43 | _start: 44 | mov eax, [fs:0x30] 45 | mov [PEB],eax 46 | 47 | ; Address de qui se finit si on fait rien 48 | push _fend 49 | 50 | nop 51 | nop 52 | nop 53 | nop 54 | nop 55 | ; Test For Sandboxes 56 | %include "nosandbox.asm" 57 | nop 58 | nop 59 | nop 60 | nop 61 | nop 62 | 63 | 64 | ;  Stealth version of MessageBox 65 | ; invoke _MessageBoxA@16, 0, txt1, txt1, 0 66 | 67 | ; Récupère la base addresse de Kernel32 68 | invokel _getdll,HASH_KERNEL32.DLL 69 | ; Récuère l'offset de la fonctions LoadLibraryA 70 | invokel _getfunction, eax, HASH_LOADLIBRARYA 71 | mov [FN_LOADLIBRARY], EAX 72 | 73 | 74 | ; Charge user32.dll 75 | invokel [FN_LOADLIBRARY],str_user32 76 | 77 | 78 | ; Récupère l'addresse de base de user32.dll 79 | invokel _getdll,HASH_USER32.DLL 80 | ; Récupère l'offset le la fonctions 81 | invokel _getfunction, eax, HASH_MESSAGEBOXA 82 | mov [FN_MSGBOX], EAX 83 | 84 | 85 | ; Appelle la popup discretos 86 | invokel [FN_MSGBOX], 0, txt1, txt1, 0 87 | 88 | _fend: 89 | invoke _ExitProcess@4, NULL 90 | 91 | %include "dllmgt.asm" 92 | -------------------------------------------------------------------------------- /macro.asm: -------------------------------------------------------------------------------- 1 | ; Constant Definition 2 | %define FALSE 0 3 | %define CREATE_SUSPENDED 0x4 4 | %define NULL 0 5 | %define MEM_COMMIT 0x00001000 6 | %define PAGE_READWRITE 0x04 7 | %define PAGE_EXECUTE_READWRITE 0x40 8 | 9 | ; CPU Context 10 | %define CONTEXT_FULL 0x10007 11 | %define CTX__LEN 0x2CF 12 | %define CTX__DR0 0x4 13 | %define CTX__DR1 0x8 14 | %define CTX__DR2 0xC 15 | %define CTX__DR3 0x10 16 | %define CTX__ESI 0xA0 17 | %define CTX__EDI 0x9c 18 | %define CTX__ESP 0xC4 19 | %define CTX__EBP 0xB4 20 | %define CTX__EAX 0xB0 21 | %define CTX__EBX 0xA4 22 | %define CTX__ECX 0xAC 23 | %define CTX__EDX 0xA8 24 | 25 | ; Process Information Structure 26 | %define PROCESS_INFORMATION__LEN 0x10 27 | %define PROCESS_INFORMATION__hProcess 0 28 | %define PROCESS_INFORMATION__hThread 4 29 | %define PROCESS_INFORMATION__dwProcessId 8 30 | %define PROCESS_INFORMATION__dwThreadId 0xC 31 | 32 | ; Pe Optionnal Header structure 33 | %define IMAGE_OPTIONAL_HEADER__LEN 0x60 34 | %define IMAGE_OPTIONAL_HEADER__Magic 0 35 | %define IMAGE_OPTIONAL_HEADER__ImageBase 0x1C 36 | %define IMAGE_OPTIONAL_HEADER__AddressOfEntryPoint 0x10 37 | %define IMAGE_OPTIONAL_HEADER__SizeOfImage 0x38 38 | %define IMAGE_OPTIONAL_HEADER__SizeOfHeaders 0x3C 39 | 40 | ; PEB 41 | %define PEB__ImageBaseAdress 0x8 42 | 43 | ; DOS Header 44 | %define IMAGE_DOS_HEADER__PEOffset 0x3C 45 | 46 | ; File header 47 | %define IMAGE_FILE_HEADER_LEN 0x10 48 | 49 | ; Pe IMAGE_DATA_DIRECTORY structure 50 | %define IMAGE_DATA_DIRECTORY__LEN 0x70 51 | 52 | ; Structure IMAGE_SECTION_HEADER 53 | %define IMAGE_SECTION_HEADER__LEN 0x28 54 | %define IMAGE_SECTION_HEADER__Name 0x0 55 | %define IMAGE_SECTION_HEADER__VirtualSize 0x8 56 | %define IMAGE_SECTION_HEADER__VirtualAddress 0xC 57 | %define IMAGE_SECTION_HEADER__SizeOfRawData 0x10 58 | %define IMAGE_SECTION_HEADER__PointerToRawData 0x14 59 | 60 | ; Macro definition 61 | %macro invoke 2-* 62 | extern %1 63 | %rotate %0-1 64 | %rep %0-1 65 | push %1 66 | %rotate -1 67 | %endrep 68 | %rotate %0 69 | call %1 70 | %endmacro 71 | 72 | %macro invokel 2-* 73 | %rotate %0-1 74 | %rep %0-1 75 | push %1 76 | %rotate -1 77 | %endrep 78 | %rotate %0 79 | call %1 80 | %endmacro 81 | 82 | -------------------------------------------------------------------------------- /dllmgt.asm: -------------------------------------------------------------------------------- 1 | .code 2 | 3 | ;align 16 4 | 5 | ; ################################################### 6 | ; trouve un offset de dll by hash, 7 | ; return 0 si pas trouvé 8 | ; In stack : Hash DLL name 9 | ; Out eax : DLL Base address  10 | 11 | _getdll: 12 | 13 | ; mov eax,[fs:0x30] ; To BE REMOVED 14 | ; int 3 15 | ;; mov dword [PEB],eax 16 | 17 | push ebp 18 | mov ebp,esp 19 | 20 | mov ebx, [fs:0x30] ; pointer sur PEB fs:0x30 21 | mov ebx, [ebx+0x0C] ; pointeur sur PEB->Ldr 22 | mov ebx, [ebx+0x14] ; flink premier module de la liste InMemoryOrder 23 | mov edx, [ebx+4] ; blink... alias le point de sortie.. 24 | xor ecx,ecx 25 | xor eax,eax 26 | jmp .startlist 27 | 28 | .nextmod: 29 | cmp ebx,edx 30 | je .tfini 31 | 32 | .startlist: 33 | mov esi, [ebx+0x28] ; pointeur sur la liste (unicode) 34 | 35 | .readchar: 36 | lodsw ; lis un Word 37 | test al,al ; Fin de la string ? 38 | jz .stopreadchar 39 | 40 | cmp al,0x60 ; Si misuscule convert to Majuscule, 41 | jbe .stoschar 42 | sub al,0x20 ; pass en majuscule 43 | .stoschar 44 | xor cl,al ; Hash du pauvre, rolxor 45 | rol ecx,HASH_SFT 46 | jmp .readchar 47 | 48 | .stopreadchar: 49 | cmp ecx,[ebp+0x8] ; Parametre 1, Hash DLL Name 50 | je .tfinifound 51 | 52 | mov ecx,0 ; Reset the hash 53 | mov ebx, [ebx] ; choppe le module suivant 54 | mov esi, [ebx+0x4] ; module base address 55 | 56 | jmp .nextmod 57 | 58 | .tfinifound 59 | mov eax, [ebx+0x10] ; module base address 60 | jmp .tgohome 61 | 62 | .tfini: 63 | mov eax,0 ; pas trouvé l'offset return 0 64 | 65 | .tgohome: 66 | 67 | mov esp,ebp 68 | pop ebp 69 | retn 4 70 | 71 | 72 | 73 | ; ################################################### 74 | ; trouve un offset de fonction by hash 75 | ; return 0 si pas trouvé... erratum crash si pas trouvé 76 | ; In stack : Hash Fonction 77 | ; In stack : Offset DLL name 78 | ; Out eax : Fonction Base address  79 | 80 | ; trouve une fonction dans kernel32.dll 81 | _getfunction: 82 | 83 | push ebp 84 | mov ebp,esp 85 | sub eax,eax 86 | 87 | mov eax,[ebp+0x8] 88 | mov ebx, eax 89 | mov edx,[eax+60] ; PE base loCATION 90 | add eax, edx 91 | mov edx,[eax] ; PE base dans EDX 92 | add eax, 0x78 93 | mov edx,[eax] ; Export Table offset 94 | add ebx,edx ; edx = iat export table 95 | 96 | mov [ExpTable],ebx 97 | 98 | mov edx,[ebp+0xC] 99 | 100 | ExpTable equ ebp-0x8 101 | 102 | mov esi, [ExpTable] 103 | 104 | mov esi, [esi+0x20] ;RVA 105 | add esi, [ebp+0x8] ;VA 106 | xor ebx,ebx 107 | cld 108 | 109 | myloop: 110 | inc ebx 111 | lodsd 112 | add eax , [ebp+0x8] ;eax sur les string des fonctions 113 | push esi ; save pour la prochane loop 114 | mov esi,eax 115 | mov edi,edx 116 | cld 117 | ; push ecx 118 | xor ecx,ecx 119 | 120 | .readcharf: 121 | lodsb ; lis un Word 122 | test al,al ; Fin de la string ? 123 | jz .stopreadcharf 124 | 125 | cmp al,0x60 ; Si misuscule convert to Majuscule, 126 | jbe .stoscharf 127 | sub al,0x20 ; pass en majuscule 128 | .stoscharf 129 | xor cl,al ; Hash du pauvre, rolxor 130 | rol ecx,HASH_SFT 131 | jmp .readcharf 132 | 133 | .stopreadcharf 134 | 135 | pop esi 136 | 137 | cmp ecx,[ebp+0xc] ; Hash Match ?? 138 | 139 | jne myloop 140 | 141 | dec ebx 142 | mov eax,[ExpTable] 143 | mov eax,[eax+0x24] ;RVA EOT 144 | add eax,[ebp+0x8] ;VA EOT 145 | movzx eax , word [ebx*2+eax] ;eax offset de la fonction 146 | mov ebx,[ExpTable] 147 | mov ebx,[ebx+0x1C] ;RVA EAT 148 | add ebx,[ebp+0x8] ;VA EAT 149 | mov ebx,[eax*4+ebx] 150 | add ebx,[ebp+0x8] 151 | mov eax,ebx 152 | 153 | mov esp,ebp 154 | pop ebp 155 | retn 8 156 | 157 | -------------------------------------------------------------------------------- /nosandbox.asm: -------------------------------------------------------------------------------- 1 | ; Should go to the end without RETing to win ! 2 | 3 | ; ******************************************** 4 | ; ** 5 | ; ** Virtualisation Based 6 | ; ** 7 | ; ******************************************** 8 | 9 | ; Only allow Intel CPUS 10 | %ifdef NOSB_INTELONLY 11 | mov eax,0 12 | cpuid 13 | cmp edx,0x49656E69 14 | je _isintel 15 | ret 16 | _isintel: 17 | %endif 18 | 19 | 20 | %ifdef NOSB_NOL1ICACHE 21 | ; Validate that you have L1 Cache. 22 | mov edx,0 23 | 24 | _isnot_nol1_first: 25 | mov eax,4 26 | mov ecx,edx 27 | push edx 28 | cpuid 29 | pop edx 30 | inc edx 31 | 32 | mov ecx,eax ; Ecx will get Level 33 | shr ecx,5 34 | and ecx,7 ; Ecx get Level 35 | and eax,0x1f ; Eax get type 36 | 37 | cmp eax,2 38 | jne _isnot_nol1_next ; Type 2 is Instruction 39 | cmp ecx,1 ; we seek L1 40 | je _isnot_nol1 ; Type2 L1 .. great ! 41 | _isnot_nol1_next: 42 | inc ecx 43 | loop _isnot_nol1_first ; if Type is not null do next cache 44 | 45 | 46 | ret ; If here wi did'nt found L1 intruction cache. 47 | _isnot_nol1: 48 | %endif 49 | 50 | %ifdef NOSB_HYPERBIT 51 | ; -------- 52 | ; Test for Hypervised bit. ( Cpuid Leaf 1, 32th Bit) 53 | mov eax,1 54 | cpuid 55 | bt ecx,31 56 | jnc _isnot_hyper 57 | ret 58 | _isnot_hyper: 59 | %endif 60 | 61 | %ifdef NOSB_UNSLEAF 62 | ; -------- 63 | ; Test for unsupported CPUid Leaf are not 0 on intel 64 | mov eax,0x80000000 65 | cpuid ; Should be at least ..5 since P4 66 | cmp eax,0x80000005 67 | jnb _isnot_Unleaf_mid 68 | ret 69 | 70 | _isnot_Unleaf_mid: 71 | inc eax ; Unsuported leaf in EAX 72 | push eax 73 | 74 | xor eax,eax 75 | cpuid 76 | cmp ebx,0x756E6547 ; Test Intel String 77 | pop eax 78 | jne _isnot_Unleaf ; Work only with Intel 79 | 80 | cpuid 81 | add eax,ebx 82 | add eax,ecx 83 | add eax,edx 84 | jnz _isnot_Unleaf 85 | ret ; 0.0.0.0 on unsupported leaf 86 | _isnot_Unleaf: 87 | %endif 88 | 89 | %ifdef NOSB_PEBCOUNT 90 | ; -------- 91 | ; Test for PEB Cpu Count 92 | mov ebx,[PEB] 93 | mov eax,[ebx+0x64] 94 | dec eax 95 | jnz _isnot_pebuniq 96 | ret 97 | _isnot_pebuniq: 98 | %endif 99 | 100 | %ifdef NOSB_HYPSTR 101 | ; -------- 102 | ; Test for Hypervisor String (Cpuid Leaf 0x400000000) 103 | MOV EAX,0x40000000 ; leaf Hypervisor string 104 | CPUID 105 | 106 | MOV EAX,ECX 107 | MOV ECX,0x4 108 | _hyperstr_loopA: ; Test 4 Chars in ECX 109 | CMP AL,32 ; Space 110 | JB _isnot_hyperstr 111 | CMP AL,122 ; "z" 112 | JA _isnot_hyperstr 113 | SHR EAX,8 ; Next Char 114 | LOOP _hyperstr_loopA 115 | mov ecx,4 116 | MOV EAX,EBX 117 | POP EAX 118 | _hyperstr_loopB: ; Test 4 Chars in EAX 119 | CMP AL,32 120 | JB _isnot_hyperstr 121 | CMP AL,122 122 | JA _isnot_hyperstr 123 | SHR EAX,8 ; Next Char 124 | LOOP _hyperstr_loopB 125 | ret ; Non printable Found 126 | _isnot_hyperstr: 127 | %endif 128 | 129 | ; ******************************************** 130 | ; ** 131 | ; ** Sandbox Detection Based 132 | ; ** 133 | ; ******************************************** 134 | 135 | %ifdef NOSB_HOOKPROC 136 | invokel _getdll,HASH_KERNEL32.DLL 137 | invokel _getfunction, eax, HASH_WRITEPROCESSMEMORY 138 | cmp dword [eax],0x8B55FF8B 139 | je _nosbhookproc 140 | ret 141 | _nosbhookproc: 142 | %endif 143 | 144 | 145 | %ifdef NOSB_SYSSLEEP 146 | jmp _syssleepstart 147 | align 8 148 | syssleepval dd - 10 * (10000 * 1000); en Sec  149 | 150 | _syssleepstart: 151 | push syssleepval ; Time to sleep 152 | push 0 ; False, relative time selection 153 | push _syssleepend ; Return address 154 | push _syssleepend ; Return address emulate return to ntdelayexecution 155 | mov eax,0x003b ; Only for XP32 Bits... 156 | mov edx,esp ; See for code http://j00ru.vexillium.org/ntapi/ 157 | sysenter ; Hello Kernel 158 | _syssleepend: 159 | add esp, 4*3 160 | %endif 161 | 162 | 163 | %ifdef NOSB_HSLEEP 164 | jmp _hsleepstart 165 | align 8 166 | hsleepval dd -1800000000 167 | _hsleepstart 168 | invokel _getdll,HASH_KERNEL32.DLL 169 | invokel _getfunction, eax, HASH_NTDELAYEXECUTION 170 | invokel eax, 0, hsleepval ; Negatif 171 | %endif 172 | 173 | 174 | %ifdef NOSB_CPUIDCOUNT 175 | mov ecx,0xffff 176 | push eax 177 | _CPUID_LOOP: 178 | push ecx 179 | mov eax,1 180 | cpuid 181 | pop ecx 182 | loop _CPUID_LOOP 183 | rdtsc 184 | pop ecx 185 | sub eax,ecx 186 | add eax,0x300000 187 | 188 | push eax 189 | mov ecx,0xffff 190 | push eax 191 | _CPUID_LOOP2: 192 | push ecx 193 | mov eax,1 194 | nop 195 | pop ecx 196 | loop _CPUID_LOOP2 197 | rdtsc 198 | pop ecx 199 | sub eax,ecx 200 | 201 | pop ebx 202 | cmp eax,ebx 203 | 204 | ja _isnot_cpuidcount 205 | ret 206 | _isnot_cpuidcount: 207 | 208 | %endif 209 | 210 | 211 | %ifdef NOSB_RENAMED 212 | invokel _getdll, HASH_NOSB_RENAMED.EXE ; Bloque les renommages 213 | test eax,eax 214 | jne _renamed_nosandbox 215 | ret 216 | _renamed_nosandbox: 217 | %endif 218 | 219 | %ifdef NOSB_ROGUEDLL 220 | invokel _getdll, HASH_WS2_32.DLL 221 | test eax,eax 222 | jz _dll_nosandbox 223 | ret 224 | _dll_nosandbox: 225 | %endif 226 | 227 | 228 | ; 3 Mn wait, with only 2 API Call. 229 | %ifdef NOSB_RDTSCLOOP 230 | jmp _rdtsc_start 231 | 232 | _rdtscsleeploop: 233 | rdtsc 234 | mov ecx,eax 235 | 236 | _timing1: 237 | push ecx 238 | cpuid ; Just a fake "Huge one" 239 | rdtsc 240 | pop ecx 241 | cmp eax,ecx 242 | jae _timing1 243 | 244 | _timing2: 245 | push ecx 246 | cpuid 247 | rdtsc 248 | pop ecx 249 | cmp eax,ecx 250 | jb _timing2 251 | 252 | ret 253 | 254 | _rdtsc_start: 255 | invokel _getdll,HASH_KERNEL32.DLL 256 | invokel _getfunction, eax, HASH_GETTICKCOUNT 257 | call eax 258 | 259 | push eax 260 | call _rdtscsleeploop 261 | 262 | invokel _getdll,HASH_KERNEL32.DLL 263 | invokel _getfunction, eax, HASH_GETTICKCOUNT 264 | call eax 265 | 266 | pop ebx 267 | sub eax,ebx  ; How many time a loop did... 268 | mov ecx,eax 269 | mov edx,0 270 | mov eax,180000 ; 3 Mn en millisecondes 271 | idiv ecx ; How many loop should i do 272 | mov ecx,eax 273 | dec ecx ; one loop is already done 274 | 275 | _rdtscwait: 276 | push ecx 277 | call _rdtscsleeploop 278 | pop ecx 279 | loop _rdtscwait 280 | 281 | %endif 282 | 283 | 284 | 285 | --------------------------------------------------------------------------------