And it now landed!
A PoC implementation of Thread Stack Spoofing being an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocations from scanners and analysts.
Inspired by marvelous Nighthawk C2!
github.com/mgeeky/ThreadS
Conversation
In general, it seems like you're stuck in 32-bit land, where the presented code indeed would work. For x64 I'd recommend reading docs.microsoft.com/en-us/cpp/buil to understand how to actually do stack spoofing there.
2
3
9
Getting nicely looking, properly spoofed stack is cool - and it requires merely a few lines/functions more added to the implementation. Yet still didn't that much care about them since benefits are already provided by its current form. If we want to mislead analysts, then sure
1
1
If by mislead you mean help, sure. Non-unwindable threads should look somewhat suspicious to anyone. every respectable JIT generates unwinding info, and every module has it. If a stack cant be unwound to the bottom, it's running shellcode. Kernel anticheats already (ab)use this.
Sure, as stated in the README I didn't care about the stack being unwindable because I don't believe there are heuristics analysing whether thread's stack isn't unwindable and should be considered anomalous. All I cared was to ensure all frames link back to legitimate MS DLLs.
1
Choosing `CreateFileW` as an address to write all over the frames was just a simple example that let me avoid overcomplicate the implementation. Surely there's a better way to exchange stacks - possibly by fiddling with TEB.TebBaseAddress, maybe by copying legit stack entirely?
2
1
but you still overcomplicated it: twitter.com/namazso/status
also, to achieve what i or nighthawk did, you don't need to modify anything on the stack before the call outside. everything can be achieved just by adding some specially crafted bogus frames
7
As said, I'll poke around it to come up with something better, but as for now - we've got at least something to begin with. Haven't yet finished exploring that land and hopefully in a matter of days I'll think of something more comparable to the Nighthawk's one. :-)
3
