Sleeping Beauty II CFG, CET, and Stack Spoofing

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://maorsabag.github.io/posts/adaptix-stealthpalace/sleeping-beauty-ii
• Blog Title: Sleeping Beauty II: CFG, CET, and Stack Spoofing
• Suggested Section: Windows Hardening > Antivirus (AV) Bypass / EDR Evasion, or a new subsection for Windows sleep obfuscation, CFG/CET bypass considerations, and stack spoofing

🎯 Content Summary

Sleeping Beauty II: CFG, CET, and Stack Spoofing

The post documents technical upgrades to StealthPalace, a Crystal Palace RDLL wrapper for Adaptix, so its sleep-obfuscation implant can survive in Windows processes protected by Control Flow Guard (CFG) and Intel CET Shadow Stack, while also hiding suspicious sleeping-thread stacks from EDR stack walkers.

This is not a CVE. It is an advanced Windows implant-evasion technique combi...

🔧 Technical Details

Runtime CFG call-target registration for ROP sleep chains. If a payload dispatches a ROP-like chain through indirect calls to mid-function gadgets, CFG will terminate the process unless each target is marked valid in the CFG bitmap. The technique is to call NtSetInformationVirtualMemory with VmCfgCallTargetInformation value 2 and CFG_CALL_TARGET_VALID = 0x1 entries for every gadget and API used as an indirect destination. For loaded images, the memory range must start at the module image base and cover the full image size. For manually mapped or stomped regions, the range must use the allocation base. This enables otherwise invalid gadgets such as jmp [rbx] or jmp rdi to be used inside CFG-protected processes.

CET-safe stack spoofing by preserving RIP. Full CONTEXT replacement breaks on CET Shadow Stack systems because changing Rip through <...

🤖 Agent Actions

I’m using the repo directly to locate the best existing Windows evasion page and avoid duplicating already-documented tricks.
Done.

Updated:

• src/windows-hardening/av-bypass.md

Added concise technical content to the existing Ekko sleep-obfuscation section covering:

• runtime CFG call-target registration with NtSetInformationVirtualMemory(..., VmCfgCallTargetInformation, ...)
• CET-safe stack spoofing by preserving real Rip while spoofing Rsp + TEB/TIB stack bounds
• APC-based Kraken Mask tradeoffs vs timer-queue Ekko dispatch
• extra detection ideas for CFG bitmap tampering, TEB/TIB swaps, APC chains, and gadget pivots
• reference to the new blog post in ## References

Validation:

• checked git diff
• verified single-file modification
• verified references section/tail formatting remains intact

No new files were created.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://maorsabag.github.io/posts/adaptix-stealthpalace/sleeping-beauty-ii

Content Categories: Based on the analysis, this content was categorized under "Windows Hardening > Antivirus (AV) Bypass / EDR Evasion, or a new subsection for Windows sleep obfuscation, CFG/CET bypass considerations, and stack spoofing".

Repository Maintenance:

• MD Files Formatting: 977 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0