From 48f661865be43c21a73e2874a04ec748a72c3ea3 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Sat, 14 Mar 2026 18:43:02 +0000 Subject: [PATCH] Add content from: Sleeping Beauty: Putting Adaptix to Bed with Crystal Palace --- src/windows-hardening/av-bypass.md | 45 ++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/src/windows-hardening/av-bypass.md b/src/windows-hardening/av-bypass.md index bf0ee053e67..e10897a07ae 100644 --- a/src/windows-hardening/av-bypass.md +++ b/src/windows-hardening/av-bypass.md @@ -2,6 +2,11 @@ {{#include ../banners/hacktricks-training.md}} +- [Sleeping Beauty: Putting Adaptix to Bed with Crystal Palace](https://maorsabag.github.io/posts/adaptix-stealthpalace/sleeping-beauty/) +- [Ekko sleep obfuscation](https://github.com/Cracked5pider/Ekko) + + + **This page was written by** [**@m2rc_p**](https://twitter.com/m2rc_p)**!** ## Stop Defender @@ -1061,6 +1066,43 @@ Related building blocks and examples - Memory masking hooks (e.g., simplehook) and stack‑cutting PIC (stackcutting) - PIC call‑stack spoofing stubs (e.g., Draugr) + +## Import-Time IAT Hooking + Sleep Obfuscation (Crystal Palace/PICO) + +### Import-time IAT hooks via a resident PICO + +If you control a reflective loader, you can hook imports **during** `ProcessImports()` by replacing the loader's `GetProcAddress` pointer with a custom resolver that checks hooks first: + +- Build a **resident PICO** (persistent PIC object) that survives after the transient loader PIC frees itself. +- Export a `setup_hooks()` function that overwrites the loader's import resolver (e.g., `funcs.GetProcAddress = _GetProcAddress`). +- In `_GetProcAddress`, skip ordinal imports and use a hash-based hook lookup like `__resolve_hook(ror13hash(name))`. If a hook exists, return it; otherwise delegate to the real `GetProcAddress`. +- Register hook targets at link time with Crystal Palace `addhook "MODULE$Func" "hook"` entries. The hook stays valid because it lives inside the resident PICO. + +This yields **import-time IAT redirection** without patching the loaded DLL's code section post-load. + +### Forcing hookable imports when the target uses PEB-walking + +Import-time hooks only trigger if the function is actually in the target's IAT. If a module resolves APIs via a PEB-walk + hash (no import entry), force a real import so the loader's `ProcessImports()` path sees it: + +- Replace hashed export resolution (e.g., `GetSymbolAddress(..., HASH_FUNC_WAIT_FOR_SINGLE_OBJECT)`) with a direct reference like `&WaitForSingleObject`. +- The compiler emits an IAT entry, enabling interception when the reflective loader resolves imports. + +### Ekko-style sleep/idle obfuscation without patching `Sleep()` + +Instead of patching `Sleep`, hook the **actual wait/IPC primitives** the implant uses (`WaitForSingleObject(Ex)`, `WaitForMultipleObjects`, `ConnectNamedPipe`). For long waits, wrap the call in an Ekko-style obfuscation chain that encrypts the in-memory image during idle: + +- Use `CreateTimerQueueTimer` to schedule a sequence of callbacks that call `NtContinue` with crafted `CONTEXT` frames. +- Typical chain (x64): set image to `PAGE_READWRITE` → RC4 encrypt via `advapi32!SystemFunction032` over the full mapped image → perform the blocking wait → RC4 decrypt → **restore per-section permissions** by walking PE sections → signal completion. +- `RtlCaptureContext` provides a template `CONTEXT`; clone it into multiple frames and set registers (`Rip/Rcx/Rdx/R8/R9`) to invoke each step. + +Operational detail: return “success” for long waits (e.g., `WAIT_OBJECT_0`) so the caller continues while the image is masked. This pattern hides the module from scanners during idle windows and avoids the classic “patched `Sleep()`” signature. + +Detection ideas (telemetry-based) +- Bursts of `CreateTimerQueueTimer` callbacks pointing to `NtContinue`. +- `advapi32!SystemFunction032` used on large contiguous image-sized buffers. +- Large-range `VirtualProtect` followed by custom per-section permission restoration. + + ## SantaStealer Tradecraft for Fileless Evasion and Credential Theft SantaStealer (aka BluelineStealer) illustrates how modern info-stealers blend AV bypass, anti-analysis and credential access in a single workflow. @@ -1128,4 +1170,7 @@ Sleep(exec_delay_seconds * 1000); // config-controlled delay to outlive sandboxe - [ChromElevator – Chrome App Bound Encryption Decryption](https://github.com/xaitax/Chrome-App-Bound-Encryption-Decryption) - [Check Point Research – GachiLoader: Defeating Node.js Malware with API Tracing](https://research.checkpoint.com/2025/gachiloader-node-js-malware-with-api-tracing/) +- [Sleeping Beauty: Putting Adaptix to Bed with Crystal Palace](https://maorsabag.github.io/posts/adaptix-stealthpalace/sleeping-beauty/) +- [Ekko sleep obfuscation](https://github.com/Cracked5pider/Ekko) + {{#include ../banners/hacktricks-training.md}}