body { -ms-overflow-style: scrollbar; overflow-y: scroll; overscroll-behavior-y: none; } .errorContainer { background-color: #FFF; color: #0F1419; max-width: 600px; margin: 0 auto; padding: 10%; font-family: Helvetica, sans-serif; font-size: 16px; } .errorButton { margin: 3em 0; } .errorButton a { background: #1DA1F2; border-radius: 2.5em; color: white; padding: 1em 2em; text-decoration: none; } .errorButton a:hover, .errorButton a:focus { background: rgb(26, 145, 218); } .errorFooter { color: #657786; font-size: 80%; line-height: 1.5; padding: 1em 0; } .errorFooter a, .errorFooter a:visited { color: #657786; text-decoration: none; padding-right: 1em; } .errorFooter a:hover, .errorFooter a:active { text-decoration: underline; } #placeholder, #react-root { display: none !important; } body { background-color: #FFF !important; }

JavaScript is not available.

We’ve detected that JavaScript is disabled in this browser. Please enable JavaScript or switch to a supported browser to continue using twitter.com. You can see a list of supported browsers in our Help Center.

Terms of Service Privacy Policy Cookie Policy Imprint Ads info © 2023 X Corp.

Conversation

Chetan Nayak (Brute Ratel C4 Author)

Here it goes. A detailed blog on proxying your DLL loads and hiding the original callstack from userland hooks/ETW with a new set of undocumented API and some hacky tricks. Code is on my Github repository. This one was a brain buster 🔥 0xdarkvortex.dev/proxying-dll-l

12

116

332

Couldn't read past the first blatantly incorrect statement. "_chkstk" doesn't catch shit, all it does is touching all the pages so that you don't subtract more than a page in one go without touching the page guard. It throws, not catches.

1

5

Furthermore, your shellcode won't crash if you don't link against _chkstk, provided that you use the compiler flag for inlining it on gcc, one of the compilers you mention explicitly by name.

2

1

Of course you can simply just copy one after the shellcode too on any other compiler

1

Chetan Nayak (Brute Ratel C4 Author)

And the PIC shellcode will crash if you exceed the stack limit and the _chkstk routine doesnt exist. I have explicitly tested it during my shellcode development for brc4.

1

1

Chetan Nayak (Brute Ratel C4 Author)

I have no idea if _chkstk can be inlined with gcc. Thats news to me. Can you provide some docs on how to do it?

1

1

1

Actually this still seems to call chkstk for whatever reason (despite it being clearly unnecessary after the generic part), but there's some magic combination of flags that omits that too.

1

Or maybe mingw-specific issue, because it seems to work on regular gcc. You can use it for shellcode just as well (or even better with ld scripts), just change default abi to ms

7:02 PM · Jan 26, 2023

335

Views

Chetan Nayak (Brute Ratel C4 Author)

Yep. It might be specific to mingw as I havent explicitly tested it with clang. Things work a lot differently with clang. And the clang libraries use _chkstk, __chkstk,___chkstk and a few more weird routines for this which are more confusing.

1

Chetan Nayak (Brute Ratel C4 Author)

And yes. In Mingw GCC LLVM, you cannot diable chkstk stack probing. Only Clang supports it

llvm/X86FrameLowering.cpp at cd5b3fa3e75b54b04a3ef6ce5229f1c6b0d6b2b8 · llvm-mirror/llvm

Project moved to: https://github.com/llvm/llvm-project - llvm/X86FrameLowering.cpp at cd5b3fa3e75b54b04a3ef6ce5229f1c6b0d6b2b8 · llvm-mirror/llvm