Conversation

Chetan Nayak (Brute Ratel C4 Author)

@NinjaParanoid

·

Jan 26

Here it goes. A detailed blog on proxying your DLL loads and hiding the original callstack from userland hooks/ETW with a new set of undocumented API and some hacky tricks. Code is on my Github repository. This one was a brain buster 🔥 https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/…

12

116

332

namazso

@namazso

·

Jan 26

Couldn't read past the first blatantly incorrect statement. "_chkstk" doesn't catch shit, all it does is touching all the pages so that you don't subtract more than a page in one go without touching the page guard. It throws, not catches.

1

5

namazso

@namazso

Furthermore, your shellcode won't crash if you don't link against _chkstk, provided that you use the compiler flag for inlining it on gcc, one of the compilers you mention explicitly by name.

6:36 PM · Jan 26, 2023

·

695

Views

1

Like

namazso

@namazso

·

Jan 26

Of course you can simply just copy one after the shellcode too on any other compiler

1

Chetan Nayak (Brute Ratel C4 Author)

@NinjaParanoid

·

Jan 26

And the PIC shellcode will crash if you exceed the stack limit and the _chkstk routine doesnt exist. I have explicitly tested it during my shellcode development for brc4.

1

1

Show replies

Chetan Nayak (Brute Ratel C4 Author)

@NinjaParanoid

·

Jan 26

Maybe you should read some msdn docs instead of arrogantly shouting what you dont understand

learn.microsoft.com

_chkstk Routine - Win32 apps

Called by the compiler when you have more than one page of local variables in your function.

1

1

Chetan Nayak (Brute Ratel C4 Author)

@NinjaParanoid

·

Jan 26

More RTFM for you "_chkstk() increases the stack when needed by committing some of the pages previously reserved for the stack. If there is no more physical memory available for committed pages, _chkstk fails"

1

1

Show replies