JavaScript is not available.

that's no stack spoofing whatsoever, thats an invalid unwind. you can achieve the same with a tweetable piece of code: `*(void**)_AddressOfReturnAddress() = CreateFileW;`

2:22 AM · Sep 27, 2021

Bookmarks

You're writing a leaf function into return address which, by the way, may never call into other functions. Leaf functions' are unwound by considering next word as return address, so this goes on until you end up with a very invalid rip.

Overview of Microsoft C++ exception handling conventions on x64.

In general, it seems like you're stuck in 32-bit land, where the presented code indeed would work. For x64 I'd recommend reading docs.microsoft.com/en-us/cpp/buil to understand how to actually do stack spoofing there.

learn.microsoft.com

x64 exception handling

Show replies

mgeeky | Mariusz Banach

@mariuszbit

Since the outcome is the same, resulting in a fake call stack - what's the deal whether the implementation is similar to the Nighthawk's one or not? Would you rather call it "Call Stack Spoofing" instead?

no, yours doesn't do that either. Since frame size in x64 unwinding depends on rip as written in documentation i linked, and not rbp, the whole unwinding gets out of track on the very first frame you "spoof" (corrupt)

Show replies

mgeeky | Mariusz Banach

@mariuszbit

And as for the line of code you've shared, not quite, coz' you'd only overwrite the very last address. To access previous ones you still need to walk the call stack.

unwinding breaks after you touch the last return address since it changes how walking works. so what's the point, the rest becomes meaningless stack data as soon as you touch the last one incorrectly

Dominic Chell

@domchell