Conversation

And it now landed! A PoC implementation of Thread Stack Spoofing being an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocations from scanners and analysts. Inspired by marvelous

@MDSecLabs

Nighthawk C2! github.com/mgeeky/ThreadS

138

378

namazso

@namazso

Sep 27, 2021

that's no stack spoofing whatsoever, thats an invalid unwind. you can achieve the same with a tweetable piece of code: `*(void**)_AddressOfReturnAddress() = CreateFileW;`

namazso

@namazso

You're writing a leaf function into return address which, by the way, may never call into other functions. Leaf functions' are unwound by considering next word as return address, so this goes on until you end up with a very invalid rip.

2:24 AM · Sep 27, 2021

In general, it seems like you're stuck in 32-bit land, where the presented code indeed would work. For x64 I'd recommend reading docs.microsoft.com/en-us/cpp/buil to understand how to actually do stack spoofing there.

learn.microsoft.com

x64 exception handling

Overview of Microsoft C++ exception handling conventions on x64.

namazso

@namazso

Sep 27, 2021

for reference, here is how proper stack spoofing would look like. Here i hid main()'s frame. as you can see, the stack correctly unwinds to RtlUserThreadStart, rather than abruptly ending like in your screenshot

Show replies