insomnia

# tl;dr This post covers a payload execution pipeline that consists of two parts -- the `DOUBLEGOD` unhooking+injection technique, and the `insomnia` loader. These are simple to understand and are based on techniques discovered and implemented by other, more experienced evasion developers. `insomnia` is available on GitHub at: https://github.com/zimnyaa/insomnia, while `DOUBLEGOD` is a small part of a private loader framework at the moment. # DOUBLEGOD `DOUBLEGOD` is based on [Perun's Fart](https://blog.sektor7.net/#!res/2021/perunsfart.md), so it is useful to reiterate the underlying principle. This is the algorithm of the unhooking technique: ```j start a suspended process -> open handle to the process -> read ntdll before EDR hooks it -> overwrite own ntdll with a fresh copy ``` I learned about it in practice on an awesome Sektor7 course, and almost immediately noticed an important thing: the suspended process we created could also be used to hollow, because it is *suspended*. Thus, `DOUBLEGOD` (as in double Perun), works something like this: ```j start a suspended process -> open handle to the process -> read ntdll before EDR hooks it -> overwrite own ntdll with a fresh copy THEN: hollow suspended process -> unsuspend process -> wait it to be hooked -> overwrite the hooks with the clean copy read earlier ``` This means that the injected payload can start with a clean copy of the NTDLL, if you could just convince it to wait a bit before execution. # did someone say "wait"? To make the payload wait, we can use a modified version (no syscalls, as the process is unhooked already) of [DarkLoadLibrary](https://github.com/bats3c/DarkLoadLibrary) and introduce a sleep obfuscation delay. Obviously, any Cobalt Strike UDRL could also be modified for that purpose. I've used modified Ekko by @C5pider, discussed at length in [[phase-dive-sleep-obfuscation]]. The resulting combination is called `insomnia`, and it is very simple: ```j find `jmp rax` gadgets in ntdll -> set up the timer queue to encrypt+protect the module -> delay -> reflectively load the DLL -> execute the export ``` # why is `insomnia` an .exe? I did develop a PIC-version of the technique, that heavily uses VX-API for function resolution. However, because I already use process hollowing in `DOUBLEGOD`, I can just load the .exe and avoid the hassle.