Sleeping Beauty: Putting Adaptix to Bed with Crystal Palace
Sleeping Beauty: Putting Adaptix to Bed with Crystal Palace
A tale of relocations, ROP chains, and the quest to make an Adaptix beacon sleep gracefully.
Table of Contents
- Introduction
- The Setup - What Are We Working With?
- Chapter 1: Preparing Adaptix - Forcing the WaitForSingleObject Import
- Chapter 2: The Art of Hooking - Crystal Palace IAT Hooks via PICO
- Chapter 3: Sleeping Beauty - Ekko Sleep Obfuscation
- Chapter 4: The Gauntlet of Linker Errors
- Chapter 5: The BOF Crash - Per-Section Permission Restore
- Final Architecture
- Building & Linking
- Conclusion
Introduction
Adaptix C2 ships a default agent DLL. Out of the box, it’s a standard PE - it gets loaded into memory with RWX permissions everywhere, no IAT hooking, no sleep obfuscation, nothing fancy. If you’re doing red team work, that’s basically walking into a SOC with a neon sign that reads “PLEASE DETECT ME.”