kapla0011

kapla0011 / InsomniacUnwinding

Public

A sleepmask based on Ekko that preserves unwind data at sleep time.

13
1
69% credibility
Found Mar 31, 2026 at 13 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
C
AI Summary

A Windows demonstration program that hides its memory contents during idle periods to evade detection tools while maintaining proper call stack visibility for debugging.

How It Works

1
๐Ÿ“– Discover the technique

You read a blog post about a clever way for programs to hide their contents while resting, without breaking how debuggers see the call stack.

2
๐Ÿ’พ Get the program

You download the simple code files to try it out yourself.

3
๐Ÿ› ๏ธ Prepare to run

You use a Windows code tool to assemble the program into a ready executable.

4
โ–ถ๏ธ Launch the program

You start the program, which shows a process number and waits for you to get ready.

5
๐Ÿ› Watch with a debugger

You connect a debugging viewer to the process to monitor the call stack as things happen.

6
โณ Trigger the sleep hide

You press enter to begin; the program rests and hides its traces from scanners.

7
๐Ÿ” Check for hiding

You scan the resting process with a detection tool and see no signs of the hidden parts.

โœ… Hiding works perfectly

You confirm the call stack looks normal through system threads, proving clean hiding with full visibility.

Sign up to see the full architecture

6 more

Sign Up Free

Star Growth

See how this repo grew from 13 to 13 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is InsomniacUnwinding?

InsomniacUnwinding is a C-based sleepmask built on the Ekko sleep mask that encrypts a Windows PE image during sleep time while surgically preserving unwind data, PE headers, and .pdata sections. It solves the problem of traditional sleepmasks breaking stack unwinding in debuggers by keeping only ~250 bytes of critical data intact instead of the full .rdata section. Run the x64 executable, attach a debugger mid-sleep, and watch the call stack resolve cleanly through BaseThreadInitThunk.

Why is it gaining traction?

Unlike full-image encryption in other GitHub sleepmasks, InsomniacUnwinding preserves just the unwind info needed for stack walking, dodging YARA signatures on test data during sleep without call stack spoofing. Developers notice the tiny footprint and reliable debugger evasion, plus built-in YARA testing to verify zero hits while sleeping. It's a smarter ekko evolution for precise sleepmask control.

Who should use this?

Red team operators crafting Windows payloads for EDR bypass. Security researchers testing AV stack-walking detection on x64. Malware analysts reverse-engineering sleepmask vs GitHub alternatives.

Verdict

Intriguing POC for unwind-preserving sleepmasks, but with 13 stars and a 0.7% credibility score, it's rawโ€”docs are blog-linked but lack broad tests. Grab it for experiments if you're deep in Windows evasion; skip for production. (187 words)

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.