body { -ms-overflow-style: scrollbar; overflow-y: scroll; overscroll-behavior-y: none; } .errorContainer { background-color: #FFF; color: #0F1419; max-width: 600px; margin: 0 auto; padding: 10%; font-family: Helvetica, sans-serif; font-size: 16px; } .errorButton { margin: 3em 0; } .errorButton a { background: #1DA1F2; border-radius: 2.5em; color: white; padding: 1em 2em; text-decoration: none; } .errorButton a:hover, .errorButton a:focus { background: rgb(26, 145, 218); } .errorFooter { color: #657786; font-size: 80%; line-height: 1.5; padding: 1em 0; } .errorFooter a, .errorFooter a:visited { color: #657786; text-decoration: none; padding-right: 1em; } .errorFooter a:hover, .errorFooter a:active { text-decoration: underline; } #placeholder, #react-root { display: none !important; } body { background-color: #FFF !important; }

JavaScript is not available.

We’ve detected that JavaScript is disabled in this browser. Please enable JavaScript or switch to a supported browser to continue using twitter.com. You can see a list of supported browsers in our Help Center.

Terms of Service Privacy Policy Cookie Policy Imprint Ads info © 2023 X Corp.

Conversation

Chetan Nayak (Brute Ratel C4 Author)

Here it goes. A detailed blog on proxying your DLL loads and hiding the original callstack from userland hooks/ETW with a new set of undocumented API and some hacky tricks. Code is on my Github repository. This one was a brain buster 🔥 0xdarkvortex.dev/proxying-dll-l

12

116

332

Couldn't read past the first blatantly incorrect statement. "_chkstk" doesn't catch shit, all it does is touching all the pages so that you don't subtract more than a page in one go without touching the page guard. It throws, not catches.

1

5

Furthermore, your shellcode won't crash if you don't link against _chkstk, provided that you use the compiler flag for inlining it on gcc, one of the compilers you mention explicitly by name.

2

1

Of course you can simply just copy one after the shellcode too on any other compiler

1

Chetan Nayak (Brute Ratel C4 Author)

And the PIC shellcode will crash if you exceed the stack limit and the _chkstk routine doesnt exist. I have explicitly tested it during my shellcode development for brc4.

1

1

Chetan Nayak (Brute Ratel C4 Author)

I have no idea if _chkstk can be inlined with gcc. Thats news to me. Can you provide some docs on how to do it?

1

1

6:58 PM · Jan 26, 2023

239

Views

Actually this still seems to call chkstk for whatever reason (despite it being clearly unnecessary after the generic part), but there's some magic combination of flags that omits that too.

1

Or maybe mingw-specific issue, because it seems to work on regular gcc. You can use it for shellcode just as well (or even better with ld scripts), just change default abi to ms

1

Show replies