body { -ms-overflow-style: scrollbar; overflow-y: scroll; overscroll-behavior-y: none; } .errorContainer { background-color: #FFF; color: #0F1419; max-width: 600px; margin: 0 auto; padding: 10%; font-family: Helvetica, sans-serif; font-size: 16px; } .errorButton { margin: 3em 0; } .errorButton a { background: #1DA1F2; border-radius: 2.5em; color: white; padding: 1em 2em; text-decoration: none; } .errorButton a:hover, .errorButton a:focus { background: rgb(26, 145, 218); } .errorFooter { color: #657786; font-size: 80%; line-height: 1.5; padding: 1em 0; } .errorFooter a, .errorFooter a:visited { color: #657786; text-decoration: none; padding-right: 1em; } .errorFooter a:hover, .errorFooter a:active { text-decoration: underline; } #placeholder, #react-root { display: none !important; } body { background-color: #FFF !important; }

JavaScript is not available.

We’ve detected that JavaScript is disabled in this browser. Please enable JavaScript or switch to a supported browser to continue using twitter.com. You can see a list of supported browsers in our Help Center.

Terms of Service Privacy Policy Cookie Policy Imprint Ads info © 2023 X Corp.

Conversation

mgeeky | Mariusz Banach

And it now landed! A PoC implementation of Thread Stack Spoofing being an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocations from scanners and analysts. Inspired by marvelous

Nighthawk C2! github.com/mgeeky/ThreadS

4

138

378

that's no stack spoofing whatsoever, thats an invalid unwind. you can achieve the same with a tweetable piece of code: `*(void**)_AddressOfReturnAddress() = CreateFileW;`

4

3

15

mgeeky | Mariusz Banach

And as for the line of code you've shared, not quite, coz' you'd only overwrite the very last address. To access previous ones you still need to walk the call stack.

1

1

unwinding breaks after you touch the last return address since it changes how walking works. so what's the point, the rest becomes meaningless stack data as soon as you touch the last one incorrectly

10:43 AM · Sep 27, 2021