Conversation

And it now landed! A PoC implementation of Thread Stack Spoofing being an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocations from scanners and analysts. Inspired by marvelous

@MDSecLabs

Nighthawk C2! github.com/mgeeky/ThreadS

138

378

namazso

@namazso

Sep 27, 2021

that's no stack spoofing whatsoever, thats an invalid unwind. you can achieve the same with a tweetable piece of code: `*(void**)_AddressOfReturnAddress() = CreateFileW;`

mgeeky | Mariusz Banach

@mariuszbit

Sep 27, 2021

Since the outcome is the same, resulting in a fake call stack - what's the deal whether the implementation is similar to the Nighthawk's one or not? Would you rather call it "Call Stack Spoofing" instead?

namazso

@namazso

Sep 27, 2021

no, yours doesn't do that either. Since frame size in x64 unwinding depends on rip as written in documentation i linked, and not rbp, the whole unwinding gets out of track on the very first frame you "spoof" (corrupt)

namazso

@namazso

If you'd even just take a look at your own screenshot, you'd see every fake "frame" is 8 bytes - since CreateFileW is a leaf function. Also leafs may never call, your frames are misaligned, and your last frame unwind to an invalid rip, blatantly leaving non-unwound stack remainin

10:37 AM · Sep 27, 2021

this is why i like twitter