Conversation

Kurosh Dabbagh

@_Kudaes_

·

Nov 21, 2022

Unwinder, another approach to Thread Stack Spoofing by walking PE's unwind information. This technique allows to automatically create "any" desired call stack by parsing .pdata structures. It took me a little bit longer than expected, but worth the effort!

github.com

GitHub - Kudaes/Unwinder: Another approach to thread stack spoofing.

Another approach to thread stack spoofing. Contribute to Kudaes/Unwinder development by creating an account on GitHub.

2

73

155

namazso

@namazso

Not bad! The last piece you're missing from the one I presented in the original thread is a ROP gadget (like this: https://unknowncheats.me/forum/anti-cheat-bypass/268039-x64-return-address-spoofing-source-explanation.html… ) you can use to desynchronize unwinding from real control flow. Using such you can completely eliminate your module from the stack trace.

9:12 PM · Nov 21, 2022

1

Retweet

6

Likes

namazso

@namazso

·

Nov 21, 2022

If you do end up implementing that, I recommend finding a function that pops rbp and another one that has a frame base ptr in rbp. Using those, you can hide arbitrary chunks of the trace. This is what my implementation in that thread did, it's why I have 3 functions.

1

2

Kurosh Dabbagh

@_Kudaes_

·

Nov 21, 2022

Hey! Well, that's a really good idea, I was thinking on hardware breakpoints to hide the module from the stack, but since I've been playing with ROP lately I think i will try your approach. Thank you for the advice, once again ;)