Enable build support by adding .buildspec.yml
README.md Loading last commit info...


Code snippets to add on top of cobalt strike sleepmask kit so that patchless hook on AMSI and ETW can be achieved.

Only for experimental purpose. Always test to make sure its working as intended

From my peronsal view, suggest not to use it in existing process (i.e. inject), but use it in a newly spawned process (i.e. spawn)


  1. Breakpoint will be removed during sleep to avoid scanner (I hope lol)
  2. Avoid scanner like moneta that will detect if DLL is modified.


image image


  1. Include "patchless.c" in sleepmask.c (only supports x64)
  2. Add the functions required to do patchless hook on desired functions
  • You may refer to sleepmask.c to see what have been amended
  1. Put patchless.c in src47 folder
  2. Compile


  1. It cannot cater if your action will create new thread during the execution period of time, which means newly spawned threads at that specific period will not have patchless hook. Theoretically, the newly spawned thread(s) will have patchless hook after one sleep cycle given that they still exist after entering sleep.
  2. If you want to address above caveat, you may hook NtCreateThreadEx to do so.
  3. At the moment, it only caters x64.


All credits to @rad9800

Please wait...
Page is in error, reload to recover