Single-threaded event driven sleep obfuscation poc for linux, based on and inspired by https://github.com/kyleavery/pendulum. This proof of concept sleeps for a pre-defined time but it can technically be awoken by external triggers, making it usable beyond a pre-defined sleep...
However, there is a limitation with this as for example if you ptrace attach to the process, the epoll_wait call gets interrupted and causes the decryption process to occur.
As seen below from the strace output, the event driven mechanism uses epoll to monitor both timer and event file descriptors:
timerfd_create(CLOCK_MONOTONIC, TFD_CLOEXEC) = 3
eventfd2(0, EFD_CLOEXEC) = 4
epoll_create1(EPOLL_CLOEXEC) = 5
epoll_ctl(5, EPOLL_CTL_ADD, 3, {events=EPOLLIN, data=0x3}) = 0 # add timer_fd=3
epoll_ctl(5, EPOLL_CTL_ADD, 4, {events=EPOLLIN, data=0x4}) = 0 # add event_fd=4
...
epoll_wait(5, [{events=EPOLLIN, data=0x3}], 2, -1) = 1
when the timer expires, epoll returns 1 event with data=0x3 confirming it was triggered by timerfd (fd 3).
./SilentPulse
[DEBUG] .text @ 0x630bcd0b1000 - 0x630bcd0b33bd (9149 bytes)
[DEBUG] sleeping for 10 seconds
# awake
(gdb) x/s 0x630bcd0b1000
0x630bcd0b1000: "\177ELF\002\001\001"
# sleeping
(gdb) x/s 0x630bcd0b1000
0x630bcd0b1000: "\217\357܍\304z[\026\317\016\342\273@\303X̖..."
# awake
000006f0 08 00 00 00 00 00 00 00 00 5f 49 54 4d 5f 64 65 |........._ITM_de|
00000700 72 65 67 69 73 74 65 72 54 4d 43 6c 6f 6e 65 54 |registerTMCloneT|
00000710 61 62 6c 65 00 5f 5f 67 6d 6f 6e 5f 73 74 61 72 |able.__gmon_star|
00000720 74 5f 5f 00 5f 49 54 4d 5f 72 65 67 69 73 74 65 |t__._ITM_registe|
00000730 72 54 4d 43 6c 6f 6e 65 54 61 62 6c 65 00 52 41 |rTMCloneTable.RA|
00000740 4e 44 5f 62 79 74 65 73 00 52 43 34 5f 73 65 74 |ND_bytes.RC4_set|
00000750 5f 6b 65 79 00 52 43 34 00 65 70 6f 6c 6c 5f 63 |_key.RC4.epoll_c|
00000760 74 6c 00 73 6c 65 65 70 00 70 75 74 73 00 70 65 |tl.sleep.puts.pe|
00000770 72 72 6f 72 00 73 79 73 63 6f 6e 66 00 5f 5f 73 |rror.sysconf.__s|
00000780 74 61 63 6b 5f 63 68 6b 5f 66 61 69 6c 00 66 72 |tack_chk_fail.fr|
00000790 65 65 00 74 69 6d 65 72 66 64 5f 63 72 65 61 74 |ee.timerfd_creat|
000007a0 65 00 72 65 61 64 00 74 69 6d 65 72 66 64 5f 73 |e.read.timerfd_s|
000007b0 65 74 74 69 6d 65 00 6d 61 6b 65 63 6f 6e 74 65 |ettime.makeconte|
000007c0 78 74 00 67 65 74 70 69 64 00 67 65 74 63 6f 6e |xt.getpid.getcon|
000007d0 74 65 78 74 00 5f 5f 6c 69 62 63 5f 73 74 61 72 |text.__libc_star|
000007e0 74 5f 6d 61 69 6e 00 73 74 64 65 72 72 00 6d 70 |t_main.stderr.mp|
000007f0 72 6f 74 65 63 74 00 73 77 61 70 63 6f 6e 74 65 |rotect.swapconte|
00000800 78 74 00 65 76 65 6e 74 66 64 00 5f 5f 63 78 61 |xt.eventfd.__cxa|
00000810 5f 66 69 6e 61 6c 69 7a 65 00 65 70 6f 6c 6c 5f |_finalize.epoll_|
00000820 63 72 65 61 74 65 31 00 63 61 6c 6c 6f 63 00 6d |create1.calloc.m|
00000830 65 6d 73 65 74 00 63 6c 6f 73 65 00 70 72 69 6e |emset.close.prin|
00000840 74 66 00 66 77 72 69 74 65 00 6c 69 62 73 73 6c |tf.fwrite.libssl|
00000850 2e 73 6f 2e 33 00 6c 69 62 63 72 79 70 74 6f 2e |.so.3.libcrypto.|
00000860 73 6f 2e 33 00 6c 69 62 63 2e 73 6f 2e 36 00 4f |so.3.libc.so.6.O|
00000870 50 45 4e 53 53 4c 5f 33 2e 30 2e 30 00 47 4c 49 |PENSSL_3.0.0.GLI|
00000880 42 43 5f 32 2e 33 2e 32 00 47 4c 49 42 43 5f 32 |BC_2.3.2.GLIBC_2|
00000890 2e 39 00 47 4c 49 42 43 5f 32 2e 37 00 47 4c 49 |.9.GLIBC_2.7.GLI|
000008a0 42 43 5f 32 2e 34 00 47 4c 49 42 43 5f 32 2e 38 |BC_2.4.GLIBC_2.8|
000008b0 00 47 4c 49 42 43 5f 32 2e 33 34 00 47 4c 49 42 |.GLIBC_2.34.GLIB|
000008c0 43 5f 32 2e 32 2e 35 00 00 00 02 00 02 00 02 00 |C_2.2.5.........|
# asleep
000006f0 81 63 7c 08 ed 7e c7 34 fa d3 49 ef 2b 35 41 ab |.c|..~.4..I.+5A.|
00000700 5d 42 e5 96 7d a9 ef 91 b0 27 f4 ad 06 0f b2 52 |]B..}....'.....R|
00000710 f8 82 84 19 14 f9 28 41 25 76 b6 6e 47 9c 43 26 |......(A%v.nG.C&|
00000720 8f 88 80 b9 25 3f 87 c1 5c 57 c1 06 6d 5f 1f a4 |....%?..\W..m_..|
00000730 d6 18 26 ed 49 22 b6 c3 4a e9 07 72 a8 02 77 63 |..&.I"..J..r..wc|
00000740 d4 74 d6 00 43 58 4b 48 50 e5 b9 2c f0 a8 3a 46 |.t..CXKHP..,..:F|
00000750 09 8b 7a e5 f7 3d 27 9c c1 0b 7e 9d cc e5 7a 1b |..z..='...~...z.|
00000760 c4 34 a5 7c 2a fe f1 0a a0 6f 7a d5 d3 b2 d4 7d |.4.|*....oz....}|
00000770 5f ae 76 61 b0 e1 f2 14 1a c3 1c 7b 90 7c 45 95 |_.va.......{.|E.|
00000780 36 4e c7 5c a0 71 88 ce 39 26 92 96 75 90 3a 29 |6N.\.q..9&..u.:)|
00000790 d5 8d 52 cd 7a d2 06 56 f2 90 74 dc 77 b7 28 54 |..R.z..V..t.w.(T|
000007a0 21 47 d7 05 ef 1c 52 19 63 b6 35 43 44 75 11 d4 |!G....R.c.5CDu..|
000007b0 a8 80 f2 bb 9a 58 fa d0 09 c3 fd aa 8d 2e 68 ef |.....X........h.|
000007c0 51 07 2d 49 00 a0 3b f6 98 3a 09 1c f8 72 5a d5 |Q.-I..;..:...rZ.|
000007d0 cf 10 79 b9 85 ee e9 eb 67 ec 1c a4 e6 91 8f 19 |..y.....g.......|
000007e0 b5 a2 89 69 17 68 6c f4 6a c4 8b 4d 8d fa 80 d6 |...i.hl.j..M....|
000007f0 21 66 35 f6 a7 db 03 5c 17 52 33 c5 d3 7b 6a a5 |!f5....\.R3..{j.|
00000800 29 d1 28 c5 db 57 65 78 69 f0 a2 97 fb 2a e7 d9 |).(..Wexi....*..|
00000810 93 44 c0 4f f1 af 02 7c 15 56 bb 00 82 c2 9c 7f |.D.O...|.V......|
00000820 46 07 4c 58 92 ac 78 37 cc ca 55 3d 02 05 09 37 |F.LX..x7..U=...7|
00000830 73 de ee bd 57 3f 55 73 1c aa d2 85 a3 f6 1a 3c |s...W?Us.......<|
00000840 33 26 dc 41 57 03 ad 37 d9 52 9a 19 d6 e4 91 88 |3&.AW..7.R......|
00000850 be f6 67 12 e7 62 68 1c a0 51 c6 21 4b 22 d6 26 |..g..bh..Q.!K".&|
00000860 42 d4 03 73 b5 8c d8 e0 23 ad ee 5d 88 23 9d 3e |B..s....#..].#.>|
00000870 58 19 97 f9 fe 4d a8 96 f4 1f 0a d5 fa 03 8a 71 |X....M.........q|
00000880 0d c0 77 6d 54 a3 e0 c0 3f de ed 94 77 af 7d e1 |..wmT...?...w.}.|
00000890 e9 e7 0d 72 79 92 22 d8 53 89 d0 08 b5 a0 62 a4 |...ry.".S.....b.|
000008a0 80 22 f6 fa 2d 27 fd 54 81 58 56 58 52 2c ab b6 |."..-'.T.XVXR,..|
000008b0 e3 ca 5b bb d5 a4 81 42 d2 db 84 41 33 e7 1c 8f |..[....B...A3...|
000008c0 43 83 51 5f 9c 48 94 6e c4 37 d0 86 5f 8f 53 b3 |C.Q_.H.n.7.._.S.|