Conversation

Here it goes. A detailed blog on proxying your DLL loads and hiding the original callstack from userland hooks/ETW with a new set of undocumented API and some hacky tricks. Code is on my Github repository. This one was a brain buster 🔥 0xdarkvortex.dev/proxying-dll-l

116

332

namazso

@namazso

Couldn't read past the first blatantly incorrect statement. "_chkstk" doesn't catch shit, all it does is touching all the pages so that you don't subtract more than a page in one go without touching the page guard. It throws, not catches.

6:34 PM · Jan 26, 2023

1,406

Views

Furthermore, your shellcode won't crash if you don't link against _chkstk, provided that you use the compiler flag for inlining it on gcc, one of the compilers you mention explicitly by name.

Chetan Nayak (Brute Ratel C4 Author)

@NinjaParanoid

Jan 26

Maybe you should read some msdn docs instead of arrogantly shouting what you dont understand

learn.microsoft.com

_chkstk Routine - Win32 apps

Called by the compiler when you have more than one page of local variables in your function.

Show replies