kapla0011

kapla0011 / InsomniacUnwindingCrossProcess

Public

Surgical UNWIND_INFO preservation for sleep masking without call stack spoofing.

45
3
69% credibility
Found Apr 03, 2026 at 45 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
C
AI Summary

A demonstration tool showing how a program can temporarily hide its detectable signatures during a sleep period while preserving the info needed for proper resumption.

How It Works

1
🔍 Discover the trick

You stumble upon a clever blog post explaining how programs can take secure naps without leaving traces for scanners.

2
📥 Get the samples ready

You grab the two simple program files: one helper that manages hiding and one test app that pretends to be a sneaky program.

3
🚀 Start the hiding helper

You launch the helper program first, and it quietly waits, ready to assist any program that needs to hide.

4
▶️ Run the test app

You start the test app, which connects to the helper and asks to take a nap while hiding its obvious signs.

5
😴 Watch it nap securely

The test app sleeps peacefully, its detectable parts hidden from scanners, but everything stays organized underneath so it can wake up smoothly.

6
🔍 Check with a scanner

While it's napping, you use a scanner tool to peek, and it finds nothing suspicious – perfect hide-and-seek!

Wake up and win

The app wakes up refreshed, continues running flawlessly, and you've learned a smart way programs stay stealthy during downtime.

Sign up to see the full architecture

5 more

Sign Up Free

Star Growth

See how this repo grew from 45 to 45 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is InsomniacUnwindingCrossProcess?

This C project delivers cross-process sleep masking for Windows executables, surgically preserving UNWIND_INFO structures so stack unwinding works during encryption without call stack spoofing. A beacon-like process requests masking via named pipe, sending its PID, image base, size, and sleep duration; the service encrypts the image (hiding signatures from YARA scans), sleeps, then decrypts while keeping stack calls intact through BaseThreadInitThunk and RtlUserThreadStart. Build in Visual Studio x64 Release, run the service, fire up a sample beacon, and verify evasion plus unwindability.

Why is it gaining traction?

It skips full .rdata encryption (just ~250 bytes preserved vs 6KB), dodging the spoofing pitfalls of traditional sleep masking in backed memory. Developers dig the verifiable YARA zero-hits during sleep and clean stack walks—no more unwind breakage forcing hacks. Ties into surgical preservation like intuitive surgical GitHub tools or surgical phase recognition, but for stack masking without spoofing.

Who should use this?

Red team operators building C2 beacons needing opsec sleeps that evade detection tools while passing debugger stack inspection. Security researchers testing Windows process evasion, or pentesters simulating dormant implants with intact call stacks. Skip if you're not in low-level Windows offense.

Verdict

Solid POC for niche Windows sleep masking—45 stars and a blog post make docs strong, but 0.699999988079071% credibility score flags it as early/experimental; fork and extend if red teaming calls for it. Worth a spin for the unwind_info trick alone.

(198 words)

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.