Added WaitForMultipleObjects and Frida processes (#265)

* Added WaitForMultipleObjects and Frida processes

* Fix previous commit

README.md

@@ -99,7 +99,7 @@ Please, if you encounter any of the anti-analysis tricks which you have seen in
 - SetTimer (Standard Windows Timers)
 - timeSetEvent (Multimedia Timers)
 - WaitForSingleObject -> WaitForSingleObjectEx -> NtWaitForSingleObject
-- WaitForMultipleObjects -> WaitForMultipleObjectsEx -> NtWaitForMultipleObjects (todo)
+- WaitForMultipleObjects -> WaitForMultipleObjectsEx -> NtWaitForMultipleObjects
 - IcmpSendEcho (CCleaner Malware)
 - CreateWaitableTimer
 - CreateTimerQueueTimer
@@ -279,13 +279,14 @@ Please, if you encounter any of the anti-analysis tricks which you have seen in
 
 ### Anti-Analysis
 - **Processes**
-  - OllyDBG / ImmunityDebugger / WinDbg / IDA Pro / X64dbg / Cheat Enigne
+  - OllyDBG / ImmunityDebugger / WinDbg / IDA Pro / X64dbg / Cheat Engine
   - SysInternals Suite Tools (Process Explorer / Process Monitor / Regmon / Filemon, TCPView, Autoruns)
   - Wireshark / Dumpcap / Fiddler / Http Debugger
   - ProcessHacker / SysAnalyzer / HookExplorer / SysInspector
   - ImportREC / PETools / LordPE
   - JoeBox Sandbox
   - Resource Hacker
+  - Frida
 
 ### Anti-Disassembly
 - Jump with constant condition

al-khaser/Al-khaser.cpp

@@ -328,6 +328,7 @@ int main(int argc, char* argv[])
 		exec_check(timing_SetTimer, delayInMillis, TEXT("Delaying execution using SetTimer ..."));
 		exec_check(timing_timeSetEvent, delayInMillis, TEXT("Delaying execution using timeSetEvent ..."));
 		exec_check(timing_WaitForSingleObject, delayInMillis, TEXT("Delaying execution using WaitForSingleObject ..."));
+		exec_check(timing_WaitForMultipleObjects, delayInMillis, TEXT("Delaying execution using WaitForMultipleObjects ..."));
 		exec_check(timing_IcmpSendEcho, delayInMillis, TEXT("Delaying execution using IcmpSendEcho ..."));
 		exec_check(timing_CreateWaitableTimer, delayInMillis, TEXT("Delaying execution using CreateWaitableTimer ..."));
 		exec_check(timing_CreateTimerQueueTimer, delayInMillis, TEXT("Delaying execution using CreateTimerQueueTimer ..."));

al-khaser/AntiAnalysis/process.cpp

@@ -43,6 +43,8 @@ VOID analysis_tools_process()
 		_T("cheatengine-i386.exe"),				// Cheat Engine
 		_T("cheatengine-x86_64.exe"),			// Cheat Engine
 		_T("cheatengine-x86_64-SSE4-AVX2.exe"), // Cheat Engine
+		_T("frida-helper-32.exe"),				// Frida
+		_T("frida-helper-64.exe"),				// Frida
 	};
 
 	WORD iLength = sizeof(szProcesses) / sizeof(szProcesses[0]);

al-khaser/TimingAttacks/timing.cpp

@@ -117,6 +117,35 @@ BOOL timing_WaitForSingleObject(UINT delayInMillis)
 	return FALSE;
 }
 
+BOOL timing_WaitForMultipleObjects(UINT delayInMillis) {
+	HANDLE hThread;
+	DWORD i, dwEvent, dwThreadID;
+
+	// Create two event objects
+
+	for (i = 0; i < 2; i++)
+	{
+		ghEvents[i] = CreateEvent(
+			NULL,  // default security attributes
+			FALSE, // auto-reset event object
+			FALSE, // initial state is nonsignaled
+			NULL); // unnamed object
+
+		if (ghEvents[i] == NULL)
+		{
+			print_last_error(_T("CreateEvent"));
+			return TRUE;
+		}
+	}
+
+	dwEvent = WaitForMultipleObjects(
+		2,        // number of objects in array
+		ghEvents, // array of objects
+		FALSE,    // wait for any object
+		delayInMillis);    // delay in milliseconds
+
+	return FALSE;
+}
 
 BOOL timing_sleep_loop (UINT delayInMillis)
 {

al-khaser/TimingAttacks/timing.h

@@ -4,6 +4,7 @@ BOOL timing_SetTimer(UINT delayInMillis);
 BOOL timing_NtDelayexecution(UINT delayInMillis);
 BOOL timing_timeSetEvent(UINT delayInMillis);
 BOOL timing_WaitForSingleObject(UINT delayInMillis);
+BOOL timing_WaitForMultipleObjects(UINT delayInMillis);
 BOOL timing_sleep_loop(UINT delayInMillis);
 BOOL rdtsc_diff_locky();
 BOOL rdtsc_diff_vmexit();