kapla0011/InsomniacUnwindingCrossProcess

GitHub: kapla0011/InsomniacUnwindingCrossProcess

Stars: 53 | Forks: 3

# InsomniacUnwinding - Cross Process Surgical UNWIND_INFO preservation for sleep masking without call stack spoofing. **Blog Post:** [Unwind Data Can't Sleep - Introducing InsomniacUnwinding](https://lorenzomeacci.com/unwind-data-cant-sleep-introducing-insomniacunwinding) ## Overview Traditional sleep masking encrypts the entire payload image, breaking stack unwinding. This Cross Process POC takes a different approach: - Sleepmasking is requested via named pipe - Surgical extraction preserves only the `UNWIND_INFO` structures needed for stack walking (~250 bytes vs ~6KB full `.rdata`) - No call stack spoofing required when both beacon and sleepmask live in backed memory ## Architecture Connects to named pipe SLEEP_REQUEST {PID, ImageBase, ImageSize, SleepTimeMs} InsomniacUnwinding.exe <───────────────────────────────────────────── Beacon-Sample.exe │ │ │ 1. OpenProcess(PID) │ │ 2. ReadProcessMemory(ImageBase, ImageSize) │ │ 3. Save regions: PE Headers + .pdata + UNWIND_INFO (~250 bytes) │ │ 4. VirtualProtectEx → PAGE_READWRITE │ │ 5. SystemFunction032 (encrypt entire image) │ │ 6. Patch back preserved regions │ │ │ │ WriteProcessMemory │ ├─────────────────────────────────────────────> [ENCRYPTED] │ │ │ │ 7. Sleep(SleepTimeMs) [Blocked on ReadFile] │ [Stack intact] │ 8. SystemFunction032 (decrypt) [YARA = 0 hits] │ 9. Patch back preserved regions │ │ │ │ WriteProcessMemory │ ├─────────────────────────────────────────────> [DECRYPTED] │ │ │ │ 10. VirtualProtectEx → PAGE_EXECUTE_READ │ │ │ │ SLEEP_RESPONSE {Success, ErrorCode} │ └─────────────────────────────────────────────> │ [Continues execution] ## Usage 1. Build both projects in Visual Studio (x64 Release) 2. Start the sleepmask service: .\InsomniacUnwinding.exe 3. In another terminal, run the beacon: .\Beacon-Sample.exe ## YARA Testing A test YARA rule is included to verify signatures are encrypted during sleep: .\yara64.exe BeaconSignature.yar Expected results: - **Awake:** 2 hits (`DEADBEEF` in `.rdata` and `.data`) - **Sleeping:** 0 hits (signatures encrypted) ## Key Insight Call stack spoofing is an architectural consequence of unbacked sleepmask memory, not a fundamental requirement. When the sleepmask executes from backed memory, spoofing becomes unnecessary.

标签：客户端加密