namazso on Twitter: "@dez_ @joehowwolf You can scan for gadgets with a call before or to do the unwinding vs real control flow desynch with something other than a jmp. The best way to detect this is simply comparing with shadow stack. Needs a few years though until CET is the standard, too many legacy CPUs for now." / Twitter

Ever wanted to make your sketchy sys calls look squeaky clean? I wrote a blog demonstrating a PoC which calls NtOpenProcess to grab a handle to lsass with an arbitrary/spoofed call stack: labs.withsecure.com/blog/spoofing- PoC: github.com/countercept/Ca

labs.withsecure.com

Spoofing Call Stacks To Confuse EDRs

Call stacks are an understated yet often important source of telemetry for EDR products.

10

260

625

namazso

@namazso

Jun 30, 2022

It is possible to achieve the same without doing suspending or VEH, just combine this to recover control flow: unknowncheats.me/forum/anti-che

3

32

Joe Desimone

@dez_

Jul 1, 2022

neat trick using nonvol reg. I think it might be easy to detect by looking for obvious jump gadget or more generically looking for missing call instruction before ret address

1

namazso

@namazso

You can scan for gadgets with a call before or to do the unwinding vs real control flow desynch with something other than a jmp. The best way to detect this is simply comparing with shadow stack. Needs a few years though until CET is the standard, too many legacy CPUs for now.

9:34 AM · Jul 1, 2022

3

Likes

Conversation