DeathSleep: PoC implementation for an evasion technique
A PoC implementation for an evasion technique to terminate the current thread and restore it before resuming execution, while implementing page protection changes during no execution.
Sleep and obfuscation methods are well known in the maldev community, with different implementations, they have the objective of hiding from memory scanners while sleeping, usually changing page protections and even adding cool features like encrypting the shellcode, but there is another important point to hide our shellcode, and is hiding the current execution thread. Spoofing the stack is cool, but after thinking a little about it I thought that there is no need to spoof the stack… if there is no stack 🙂
The usability of this technique is left to the reader to assess, but in any case, I think it is a cool way to review some topics and learn some maldev for those who, like me, are starting in this world.
The main implementation shown here holds everything that we need to take out of the stack in the data section, as global variables, but an implementation moving everything to the heap will be published soon. It aims to show some key modifications that need to be done to make this code pic and injectable.
We can view on this POC 4 core functions:
- Main program: This is where you would write your agent code, and it’s the portion of the code that will make use of DeathSleep
- Awake function: this is the entry point of all our threads, and it’s in charge of saving the starting point of the stack that we will be restoring. Also, it’s in charge of restoring the stack and CPU context when it’s needed or just launching our main program.
- DeathSleep: this is the main function of this technique and is in charge of backing up the thread context and stack, and also setting everything up for the magic to happen.
- Rebirth: A simple function only in charge of launching our new threads.