Skip to content
/ sleepmask_ekko_cfg Public

Code snippets to add on top of cobalt strike sleepmask kit so that ekko can work in a CFG protected process

43 stars 9 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ScriptIdiot/sleepmask_ekko_cfg

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
src47
src47
 
 
README.md
README.md
 
 

Repository files navigation

sleepmask_ekko_cfg

Code snippets to add on top of cobalt strike sleepmask kit so that ekko can work in a CFG protected process.

All credits to @Icebreaker

Usage

  1. Enable ekko sleep in sleepmask kit
  2. Include cfg.c
  3. Add below codes before ekko sleep
   PVOID NtContinue = KERNEL32$GetProcAddress(KERNEL32$GetModuleHandleA("ntdll.dll"),"NtContinue");
   //PVOID NtContinue = NTDLL$NtContinue; //<-- this should be the same as above
   if (!markCFGValid_nt(NtContinue))
    {
        return;
    }
  1. Put cfg.c in folder
  2. Append the contents in bofdefs.h
  3. Compile

Caveat

  1. Sleep 0 will terminate the process, meaning that socks cannot be used (However, if interactive process is needed, its pointless to use ekko, just revert back to use original sleep)

Reference

  1. /~https://github.com/IcebreakerSecurity/Ekko_CFG_Bypass

About

Code snippets to add on top of cobalt strike sleepmask kit so that ekko can work in a CFG protected process

Topics

cobaltstrike ekko sleepmask

Resources

Readme
Activity

Stars

43 stars

Watchers

1 watching

Forks

9 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages