Sleeping Beauty II: CFG, CET, and Stack Spoofing

A tale of CFG bitmaps, shadow stacks, and teaching an implant to sleep in places it was never meant to survive.

In Part I, we built StealthPalace: a Crystal Palace RDLL wrapper for Adaptix with IAT hooking and Ekko-style sleep obfuscation. It worked - on most targets. But inject that payload into a process with Control Flow Guard enabled, and the first indirect call in the ROP chain triggers a CFG violation. The process dies. No callback, no fallback, just a silent STATUS_STACK_BUFFER_OVERRUN and a corpse in Event Viewer.

Sleeping Beauty: Putting Adaptix to Bed with Crystal Palace

A tale of relocations, ROP chains, and the quest to make an Adaptix beacon sleep gracefully.

Table of Contents

• Introduction
• The Setup - What Are We Working With?
• Chapter 1: Preparing Adaptix - Forcing the WaitForSingleObject Import
• Chapter 2: The Art of Hooking - Crystal Palace IAT Hooks via PICO
• Chapter 3: Sleeping Beauty - Ekko Sleep Obfuscation
• Chapter 4: The Gauntlet of Linker Errors
• Chapter 5: The BOF Crash - Per-Section Permission Restore
• Final Architecture
• Building & Linking
• Conclusion

Introduction

Adaptix C2 ships a default agent DLL. Out of the box, it’s a standard PE - it gets loaded into memory with RWX permissions everywhere, no IAT hooking, no sleep obfuscation, nothing fancy. If you’re doing red team work, that’s basically walking into a SOC with a neon sign that reads “PLEASE DETECT ME.”