GhostNap is my implementation of sleep obfuscation in Nim. It protects the shellcode implant, but also protects the reflective DLL's loaded by the shellcode, as Meterpreter and Cobalt Strike beacons love to do.
The traditional proof:
Most of the sleep obfuscation techniques I encountered, were protecting the image. Regarding protecting shellcodes, ShellGhost is really awesome, but the only other I know - ShellcodeFluctuation, wasn't worked good for me. Also, I did not see yet a pure shellcode implants, that do not depend on loading other PE's, so I believe that my solution is kind of filling this gap. It also coded in Nim - which is the thing 💛
- Installs a hook on
kernel32:Sleep(so your implant must use it). - Allocates memory for the shellcode implant, then change the protection to
PAGE_EXECUTE_READWRITE. - Installs a hook on
kernel32:VirtualAlloc(so your implant must not use lower calls likeNtAllocateVirtualMemory) - Copies the shellcode, and executes it via Fiber or by the
CertEnumSystemStorecallback. - Any invocation of
VirtualAllocis intercepted, and the permission is compared againstPAGE_READWRITE,PAGE_EXECUTE_READ, orPAGE_EXECUTE_READWRITE. If the comparison yields a positive result, we proceed to protect the corresponding memory page as well. - Any call to
Sleepwill:- Remove the
Xpermission from the shellcode and any other protected page. - Encode the shellcode and any other protected page by single byte xor, or by RC4 using
SystemFunction032. - Sleep.
- Decode each page back.
- Add the
Xpermission again.
- Remove the
Built with Nim 1.6.12.
nimble install winim ptr_math nimprotect minhook
Just edit the config at the source file, it's very commented.
Compile with -d:release, unless you want to see verbose prints.
- khchen for the great projects minhook and winim
- s3cur3th1ssh1t for SystemFunction032 Nim implementation
- All the other work done by smarter guys than me on sleep obfuscation