And it now landed!
A PoC implementation of Thread Stack Spoofing being an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocations from scanners and analysts.
Inspired by marvelous Nighthawk C2!
github.com/mgeeky/ThreadS
Conversation
Since the outcome is the same, resulting in a fake call stack - what's the deal whether the implementation is similar to the Nighthawk's one or not? Would you rather call it "Call Stack Spoofing" instead?
1
1
no, yours doesn't do that either. Since frame size in x64 unwinding depends on rip as written in documentation i linked, and not rbp, the whole unwinding gets out of track on the very first frame you "spoof" (corrupt)
Show replies

