Sleeping Beauty Putting Adaptix to Bed with Crystal Palace

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://maorsabag.github.io/posts/adaptix-stealthpalace/sleeping-beauty/
• Blog Title: Sleeping Beauty: Putting Adaptix to Bed with Crystal Palace
• Suggested Section: Windows Hardening -> Antivirus (AV) Bypass / EDR Evasion (or create a new page under Windows for "In-memory evasion: reflective loaders, IAT/GetProcAddress hooking, Ekko sleep obfuscation")

🎯 Content Summary

Title / goal
The post (dated 2026-03-14) is a hands-on engineering walkthrough showing how to take the default Adaptix C2 agent DLL (loaded “loudly” when reflectively mapped) and wrap it in a Crystal Palace-based Reflective DLL Loader (RDLL) to add stealth features:
1) restore correct PE-like per-section memory protections (.text=RX, .data=RW, etc.) instead of a single RWX region;
2) perform IAT import...

🔧 Technical Details

Crystal Palace import-time IAT hooking via a resident PICO: install a custom GetProcAddress (e.g., _GetProcAddress) into the reflective loader’s import resolution path so every DLL import name is checked against __resolve_hook(ror13hash(name)). If a hook is registered (via addhook "MODULE$Func" "hook"), return the hook pointer; otherwise delegate to the real API. This yields transparent IAT redirection without patching the DLL’s code section post-load, and the hook code persists because the PICO remains resident while the loader PIC is transient.

Forcing hookable imports when malware uses PEB-walking / hashed export resolution: if a target resolves APIs dynamically (no IAT entry), import-time hooking won’t trigger. Converting the resolution to a direct import reference (e.g., replacing a hashed GetSymbolAddress(..., HASH_FUNC_WAIT_FOR_SINGLE_OBJECT) with &WaitForSingleObject) forces the compi...

🤖 Agent Actions

Updated src/windows-hardening/av-bypass.md with a new section covering Crystal Palace/PICO import-time IAT hooking, forcing hookable imports, and Ekko-style sleep/idle obfuscation, plus detection ideas. Added references for the blog and Ekko.

Files changed:

• src/windows-hardening/av-bypass.md

Tests not run (not requested).

Next steps:

1. If you want the content moved under a different subsection or re-titled, tell me the preferred structure.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

📚 Repository Maintenance

• MD files processed: 954
• MD files fixed: 1

All .md files have been checked for proper formatting (headers, includes, etc.).

[carlospolop]

🔗 Additional Context

Original Blog Post: https://maorsabag.github.io/posts/adaptix-stealthpalace/sleeping-beauty/

Content Categories: Based on the analysis, this content was categorized under "Windows Hardening -> Antivirus (AV) Bypass / EDR Evasion (or create a new page under Windows for "In-memory evasion: reflective loaders, IAT/GetProcAddress hooking, Ekko sleep obfuscation")".

Repository Maintenance:

• MD Files Formatting: 954 files processed (1 files fixed)

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0