namazso on Twitter: "@joehowwolf It is possible to achieve the same without doing suspending or VEH, just combine this to recover control flow: https://t.co/iTWVxQW1Ca" / Twitter

Ever wanted to make your sketchy sys calls look squeaky clean? I wrote a blog demonstrating a PoC which calls NtOpenProcess to grab a handle to lsass with an arbitrary/spoofed call stack: labs.withsecure.com/blog/spoofing- PoC: github.com/countercept/Ca

labs.withsecure.com

Spoofing Call Stacks To Confuse EDRs

Call stacks are an understated yet often important source of telemetry for EDR products.

10

260

625

namazso

@namazso

It is possible to achieve the same without doing suspending or VEH, just combine this to recover control flow: unknowncheats.me/forum/anti-che

2:54 PM · Jun 30, 2022

8

Bookmarks

William Burgess

@joehowwolf

Jun 30, 2022

very nice - will check it out. Veh was pretty painful and I wanted a better mechanism to handle the thread but ran out of time.

1

Joe Desimone

@dez_

Jul 1, 2022

neat trick using nonvol reg. I think it might be easy to detect by looking for obvious jump gadget or more generically looking for missing call instruction before ret address

1

namazso

@namazso

Jul 1, 2022

You can scan for gadgets with a call before or to do the unwinding vs real control flow desynch with something other than a jmp. The best way to detect this is simply comparing with shadow stack. Needs a few years though until CET is the standard, too many legacy CPUs for now.

3

mgeeky | Mariusz Banach

@mariuszbit

Jun 30, 2022

That's brilliant!

Conversation