Offensive Security Tool: DeepSleep
Reading Time: 3 Minutes
Offensive Security Tool: DeepSleep
DeepSleep by thefLink, is a variant of Gargoyle for x64 to hide memory artifacts using ROP only and PIC. Evasive techniques take time to produce, find and create. They are the most important steps for any attack scenario. Without evasion, you cannot perform attacks.
Description
This tool was created to better understand how to evade memory artifacts using a Gargoyle-like technique on x64. The idea is to set up a ROPChain calling VirtualProtect() ➡ Sleep() ➡ VirtualProtect() to mark my own page as N/A while Sleeping.
Unlike Gargoyle and other Gargoyle-like implementations, this tool relied on ROP and do not queue any APC. DeepSleep itself is implemented as fully PIC, which makes it easier to enumerate which memory pages have to be hidden from scanners.
While the thread is active, a MessageBox pops up and DeepSleep’s page is marked as executable. While Sleeping, the page is marked as N/A.
This effectively bypasses Moneta at the time of writing if DeepSleep is injected and the executing thread’s base address does not point to private commited memory.
It has been verified using the Earlybird injection technique to inject DeepSleep.bin into notepad.exe
See Also: Recon Tool: qsreplace
Usage
Using Mingw:
Type make and a wild DeepSleep.bin appears.
Alternatively use the precompiled DeepSleep.bin
Limitations
This was tested on 10.0.19044 N/A Build 19044
The ROPgadgets that the tool relies on might not exist in ntdll.dll in other versions of Windows. It is probably a good idea to make use of smaller and more generic ROPgadgets and to enumerate the gadgets in more dlls than ntdll.dll.
Detection
The callstack to a thread in the DelayExecution state includes unknown/tampered memory regions and additionally includes addresses to VirtualProtect(). Hunt-Sleeping-Beacons detects this.
It may be possible to apply that metric to other C2 using a different technique to wait between callbacks.
See Also: The Difference between Vulnerability Assessment and Pentesting