And it now landed!
A PoC implementation of Thread Stack Spoofing being an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocations from scanners and analysts.
Inspired by marvelous Nighthawk C2!
github.com/mgeeky/ThreadS
Conversation
that's no stack spoofing whatsoever, thats an invalid unwind. you can achieve the same with a tweetable piece of code: `*(void**)_AddressOfReturnAddress() = CreateFileW;`
In general, it seems like you're stuck in 32-bit land, where the presented code indeed would work. For x64 I'd recommend reading docs.microsoft.com/en-us/cpp/buil to understand how to actually do stack spoofing there.
2
3
9
Show replies
Since the outcome is the same, resulting in a fake call stack - what's the deal whether the implementation is similar to the Nighthawk's one or not? Would you rather call it "Call Stack Spoofing" instead?
1
1
Show replies
And as for the line of code you've shared, not quite, coz' you'd only overwrite the very last address. To access previous ones you still need to walk the call stack.
1
1
We said this in our internal chat but were too polite to point it out in case of more drama. But you’re correct 👍 happy to see the teams work is ppl inspiring tho either way
5


