JavaScript is not available.

that's no stack spoofing whatsoever, thats an invalid unwind. you can achieve the same with a tweetable piece of code: `*(void**)_AddressOfReturnAddress() = CreateFileW;`

You're writing a leaf function into return address which, by the way, may never call into other functions. Leaf functions' are unwound by considering next word as return address, so this goes on until you end up with a very invalid rip.

Overview of Microsoft C++ exception handling conventions on x64.

In general, it seems like you're stuck in 32-bit land, where the presented code indeed would work. For x64 I'd recommend reading docs.microsoft.com/en-us/cpp/buil to understand how to actually do stack spoofing there.

learn.microsoft.com

x64 exception handling

for reference, here is how proper stack spoofing would look like. Here i hid main()'s frame. as you can see, the stack correctly unwinds to RtlUserThreadStart, rather than abruptly ending like in your screenshot

2:26 AM · Sep 27, 2021

Retweets

Likes

Bookmarks

mgeeky | Mariusz Banach

@mariuszbit

Yeah I get that. Actually I didn't bother on getting the technique much more complex just to deliver properly unwound, spoofed stack. My main goal was to hide from automated scanners that could pick up on thread's call stack and reference return addresses back to allocations.

but if that's your point, then it's much easier to use my tweetable version. The effect is same as on your screenshot. Depending on how many qwords from your return address you overwrite, you get as many broken frames. I can make an std::fill version and it'd still be tweetable.

Show replies

mgeeky | Mariusz Banach

@mariuszbit

Getting nicely looking, properly spoofed stack is cool - and it requires merely a few lines/functions more added to the implementation. Yet still didn't that much care about them since benefits are already provided by its current form. If we want to mislead analysts, then sure