Conversation

that's no stack spoofing whatsoever, thats an invalid unwind. you can achieve the same with a tweetable piece of code: `*(void**)_AddressOfReturnAddress() = CreateFileW;`
4
15
You're writing a leaf function into return address which, by the way, may never call into other functions. Leaf functions' are unwound by considering next word as return address, so this goes on until you end up with a very invalid rip.
1
8
Yeah I get that. Actually I didn't bother on getting the technique much more complex just to deliver properly unwound, spoofed stack. My main goal was to hide from automated scanners that could pick up on thread's call stack and reference return addresses back to allocations.
1
but if that's your point, then it's much easier to use my tweetable version. The effect is same as on your screenshot. Depending on how many qwords from your return address you overwrite, you get as many broken frames. I can make an std::fill version and it'd still be tweetable.
1
Show replies
Getting nicely looking, properly spoofed stack is cool - and it requires merely a few lines/functions more added to the implementation. Yet still didn't that much care about them since benefits are already provided by its current form. If we want to mislead analysts, then sure
1
1
If by mislead you mean help, sure. Non-unwindable threads should look somewhat suspicious to anyone. every respectable JIT generates unwinding info, and every module has it. If a stack cant be unwound to the bottom, it's running shellcode. Kernel anticheats already (ab)use this.
5
6
Show replies