Offensive Security Tool: DeepSleep

by | May 27, 2022 | Tools

DeepSleep

Post Views: 1,515

Premium Content

Patreon

Subscribe to Patreon to watch this episode.

Reading Time: 3 Minutes

Offensive Security Tool: DeepSleep

GitHub Link

 

DeepSleep by thefLink, is a variant of Gargoyle for x64 to hide memory artifacts using ROP only and PIC. Evasive techniques take time to produce, find and create. They are the most important steps for any attack scenario. Without evasion, you cannot perform attacks.

 

Description

This tool was created to better understand how to evade memory artifacts using a Gargoyle-like technique on x64. The idea is to set up a ROPChain calling VirtualProtect() ➡ Sleep() ➡ VirtualProtect() to mark my own page as N/A while Sleeping.

Unlike Gargoyle and other Gargoyle-like implementations, this tool relied on ROP and do not queue any APC. DeepSleep itself is implemented as fully PIC, which makes it easier to enumerate which memory pages have to be hidden from scanners.

While the thread is active, a MessageBox pops up and DeepSleep’s page is marked as executable. While Sleeping, the page is marked as N/A.

This effectively bypasses Moneta at the time of writing if DeepSleep is injected and the executing thread’s base address does not point to private commited memory.

It has been verified using the Earlybird injection technique to inject DeepSleep.bin into notepad.exe

See Also: Recon Tool: qsreplace

 

 

Usage

Using Mingw:
Type make and a wild DeepSleep.bin appears.
Alternatively use the precompiled DeepSleep.bin

 

 

Limitations

This was tested on 10.0.19044 N/A Build 19044

The ROPgadgets that the tool relies on might not exist in ntdll.dll in other versions of Windows. It is probably a good idea to make use of smaller and more generic ROPgadgets and to enumerate the gadgets in more dlls than ntdll.dll.

 

 

Detection

The callstack to a thread in the DelayExecution state includes unknown/tampered memory regions and additionally includes addresses to VirtualProtect().  Hunt-Sleeping-Beacons detects this.
It may be possible to apply that metric to other C2 using a different technique to wait between callbacks.

 

See Also: The Difference between Vulnerability Assessment and Pentesting

Merch

Recent Articles

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This