Thank you to SpecterOps for supporting this research and to Sarah, Cody, and Daniel for proofreading and editing! Crossposted on the SpecterOps Blog.
TL;DR: You can use sleepy to automate common tasks when working with Sleep code.
Raphael Mudge created the embeddable scripting language, Sleep, in April 2002. Sleep was designed to extend Java applications and has been used in few projects; most notably Cobalt Strike.
Thank you to SpecterOps for supporting this research, to Elad for helping draft this blog, and to Sarah, Daniel, and Adam for proofreading and editing! Crossposted on the SpecterOps Blog.
What follows is the culmination of two years of research with funding by SpecterOps and contributions from many of my coworkers.
Special thanks are needed to Elad, Lee, Will, Daniel, and Kai. Elad, Lee, and Will have contributed several ideas to the project, which are documented here, and have each spent multiple days testing the tool. Daniel has answered all of my inevitable questions about AzureAD (whoops, now Ent
| // Copyright (C) 2024 Evan McBroom | |
| #include <Windows.h> | |
| #include <iostream> | |
| #include <vector> | |
| #include <WbemCli.h> | |
| #include <atlbase.h> | |
| #include <iomanip> | |
| // The modified, compiled IDL file from: |
| // Copyright (C) 2023 Evan McBroom | |
| // Originally authored October 19th, 2023. | |
| // | |
| // Geoff Chappell first documented the format of the loader lock cookie on November 26th, 2008. | |
| // His work is applied here to unlock the loader lock without knowing the original cookie that | |
| // LdrLockLoaderLock returned. This same example code may be safely used in DllMain to unlock | |
| // the loader lock and execute code that would otherwise deadlock the loader. | |
| // Sources: | |
| // - https://www.geoffchappell.com/studies/windows/win32/ntdll/api/ldrapi/lockloaderlock.htm | |
| // - https://www.geoffchappell.com/studies/windows/win32/ntdll/api/ldrapi/unlockloaderlock.htm |