Conversation

that's no stack spoofing whatsoever, thats an invalid unwind. you can achieve the same with a tweetable piece of code: `*(void**)_AddressOfReturnAddress() = CreateFileW;`
4
15
You're writing a leaf function into return address which, by the way, may never call into other functions. Leaf functions' are unwound by considering next word as return address, so this goes on until you end up with a very invalid rip.
1
8
for reference, here is how proper stack spoofing would look like. Here i hid main()'s frame. as you can see, the stack correctly unwinds to RtlUserThreadStart, rather than abruptly ending like in your screenshot
Image
2
10
Getting nicely looking, properly spoofed stack is cool - and it requires merely a few lines/functions more added to the implementation. Yet still didn't that much care about them since benefits are already provided by its current form. If we want to mislead analysts, then sure
1
1
If by mislead you mean help, sure. Non-unwindable threads should look somewhat suspicious to anyone. every respectable JIT generates unwinding info, and every module has it. If a stack cant be unwound to the bottom, it's running shellcode. Kernel anticheats already (ab)use this.
5
6
Choosing `CreateFileW` as an address to write all over the frames was just a simple example that let me avoid overcomplicate the implementation. Surely there's a better way to exchange stacks - possibly by fiddling with TEB.TebBaseAddress, maybe by copying legit stack entirely?
2
1