And it now landed!
A PoC implementation of Thread Stack Spoofing being an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocations from scanners and analysts.
Inspired by marvelous Nighthawk C2!
github.com/mgeeky/ThreadS
Conversation
In general, it seems like you're stuck in 32-bit land, where the presented code indeed would work. For x64 I'd recommend reading docs.microsoft.com/en-us/cpp/buil to understand how to actually do stack spoofing there.
2
3
9
Getting nicely looking, properly spoofed stack is cool - and it requires merely a few lines/functions more added to the implementation. Yet still didn't that much care about them since benefits are already provided by its current form. If we want to mislead analysts, then sure
1
1
Choosing `CreateFileW` as an address to write all over the frames was just a simple example that let me avoid overcomplicate the implementation. Surely there's a better way to exchange stacks - possibly by fiddling with TEB.TebBaseAddress, maybe by copying legit stack entirely?
2
1
but you still overcomplicated it: twitter.com/namazso/status
also, to achieve what i or nighthawk did, you don't need to modify anything on the stack before the call outside. everything can be achieved just by adding some specially crafted bogus frames
