STRLCPY/ThreadStackSpoofer

readme
Mariusz B. / mgeeky committed 3 years ago

41746391

1 parent bde871df

Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)

Total 1 files

■ ■ ■ ■ ■ ■

README.md

		skipped 98 lines
99	99		```
100	100		C:\> ThreadStackSpoofer.exe beacon64.bin 1
101	101		[.] Reading shellcode bytes...
102		-	[.] Initializing stack spoofer...
	102	+	[.] Thread call stack will be spoofed.
103	103		[+] Stack spoofing initialized.
104	104		[.] Hooking kernel32!Sleep...
105	105		[.] Injecting shellcode...
	106	+
106	107		WalkCallStack: Stack Trace:
107		-	2. calledFrom: 0x7ff7abc92de4 - stack: 0x50174ff7d0 - frame: 0x50174ff8e0 - ret: 0x1f255dabd51 - skip? 0
108		-	3. calledFrom: 0x1f255dabd51 - stack: 0x50174ff8f0 - frame: 0x50174ff8e8 - ret: 0x1388 - skip? 0
109		-	4. calledFrom: 0x 1388 - stack: 0x50174ff8f8 - frame: 0x50174ff8f0 - ret: 0x1f25683ae80 - skip? 0
110		-	5. calledFrom: 0x1f25683ae80 - stack: 0x50174ff900 - frame: 0x50174ff8f8 - ret: 0x1b000100000004 - skip? 0
111		-	6. calledFrom: 0x1b000100000004 - stack: 0x50174ff908 - frame: 0x50174ff900 - ret: 0x8003600140000 - skip? 0
112		-	7. calledFrom: 0x8003600140000 - stack: 0x50174ff910 - frame: 0x50174ff908 - ret: 0x1f255f76040 - skip? 0
113		-	8. calledFrom: 0x1f255f76040 - stack: 0x50174ff918 - frame: 0x50174ff910 - ret: 0x1f255d8cd9f - skip? 0
114		-	9. calledFrom: 0x1f255d8cd9f - stack: 0x50174ff920 - frame: 0x50174ff918 - ret: 0x1f255d8cdd0 - skip? 0
115		-	WalkCallStack: Stack Trace finished.
116		-	Spoofed: 0x1f255dabd51 -> 0x7ffeb7f74b60
	108	+	2. calledFrom: 0x7ff7c8ba7f54 - stack: 0xdc5eaffbd0 - frame: 0xdc5eaffce0 - ret: 0x2550d3ebd51 - skip? 0
	109	+	3. calledFrom: 0x2550d3ebd51 - stack: 0xdc5eaffcf0 - frame: 0xdc5eaffce8 - ret: 0x1388 - skip? 0
	110	+	4. calledFrom: 0x 1388 - stack: 0xdc5eaffcf8 - frame: 0xdc5eaffcf0 - ret: 0x2550d1ff760 - skip? 0
	111	+	5. calledFrom: 0x2550d1ff760 - stack: 0xdc5eaffd00 - frame: 0xdc5eaffcf8 - ret: 0x1b000100000004 - skip? 0
	112	+	6. calledFrom: 0x1b000100000004 - stack: 0xdc5eaffd08 - frame: 0xdc5eaffd00 - ret: 0xd00017003a0001 - skip? 0
	113	+	7. calledFrom: 0xd00017003a0001 - stack: 0xdc5eaffd10 - frame: 0xdc5eaffd08 - ret: 0x2550d5b7040 - skip? 0
	114	+	8. calledFrom: 0x2550d5b7040 - stack: 0xdc5eaffd18 - frame: 0xdc5eaffd10 - ret: 0x2550d3ccd9f - skip? 0
	115	+	9. calledFrom: 0x2550d3ccd9f - stack: 0xdc5eaffd20 - frame: 0xdc5eaffd18 - ret: 0x2550d3ccdd0 - skip? 0
	116	+	Spoofed: 0x2550d3ebd51 -> 0x7ffeb7f74b60
117	117		Spoofed: 0x00001388 -> 0x7ffeb7f74b60
118		-	Spoofed: 0x1f25683ae80 -> 0x7ffeb7f74b60
	118	+	Spoofed: 0x2550d1ff760 -> 0x7ffeb7f74b60
119	119		Spoofed: 0x1b000100000004 -> 0x7ffeb7f74b60
120		-	Spoofed: 0x8003600140000 -> 0x7ffeb7f74b60
121		-	Spoofed: 0x1f255f76040 -> 0x7ffeb7f74b60
122		-	Spoofed: 0x1f255d8cd9f -> 0x7ffeb7f74b60
123		-	Spoofed: 0x1f255d8cdd0 -> 0x7ffeb7f74b60
124		-	MySleep(5000)
	120	+	Spoofed: 0xd00017003a0001 -> 0x7ffeb7f74b60
	121	+	Spoofed: 0x2550d5b7040 -> 0x7ffeb7f74b60
	122	+	Spoofed: 0x2550d3ccd9f -> 0x7ffeb7f74b60
	123	+	Spoofed: 0x2550d3ccdd0 -> 0x7ffeb7f74b60
	124	+
	125	+	===> MySleep(5000)
	126	+
125	127		[+] Shellcode is now running.
	128	+
126	129		WalkCallStack: Stack Trace:
127		-	2. calledFrom: 0x7ff7abc92e14 - stack: 0x50174ff7d0 - frame: 0x50174ff8e0 - ret: 0x7ffeb7f74b60 - skip? 1
128		-	3. calledFrom: 0x7ffeb7f74b60 - stack: 0x50174ff8f0 - frame: 0x50174ff8e8 - ret: 0x7ffeb7f74b60 - skip? 1
129		-	4. calledFrom: 0x7ffeb7f74b60 - stack: 0x50174ff8f8 - frame: 0x50174ff8f0 - ret: 0x7ffeb7f74b60 - skip? 1
130		-	5. calledFrom: 0x7ffeb7f74b60 - stack: 0x50174ff900 - frame: 0x50174ff8f8 - ret: 0x7ffeb7f74b60 - skip? 1
131		-	6. calledFrom: 0x7ffeb7f74b60 - stack: 0x50174ff908 - frame: 0x50174ff900 - ret: 0x7ffeb7f74b60 - skip? 1
132		-	7. calledFrom: 0x7ffeb7f74b60 - stack: 0x50174ff910 - frame: 0x50174ff908 - ret: 0x7ffeb7f74b60 - skip? 1
133		-	8. calledFrom: 0x7ffeb7f74b60 - stack: 0x50174ff918 - frame: 0x50174ff910 - ret: 0x7ffeb7f74b60 - skip? 1
134		-	9. calledFrom: 0x7ffeb7f74b60 - stack: 0x50174ff920 - frame: 0x50174ff918 - ret: 0x7ffeb7f74b60 - skip? 1
135		-	WalkCallStack: Stack Trace finished.
136		-	Restored: 0x7ffeb7f74b60 -> 0x1f255dabd51
	130	+	2. calledFrom: 0x7ff7c8ba7f84 - stack: 0xdc5eaffbd0 - frame: 0xdc5eaffce0 - ret: 0x7ffeb7f74b60 - skip? 1
	131	+	3. calledFrom: 0x7ffeb7f74b60 - stack: 0xdc5eaffcf0 - frame: 0xdc5eaffce8 - ret: 0x7ffeb7f74b60 - skip? 1
	132	+	4. calledFrom: 0x7ffeb7f74b60 - stack: 0xdc5eaffcf8 - frame: 0xdc5eaffcf0 - ret: 0x7ffeb7f74b60 - skip? 1
	133	+	5. calledFrom: 0x7ffeb7f74b60 - stack: 0xdc5eaffd00 - frame: 0xdc5eaffcf8 - ret: 0x7ffeb7f74b60 - skip? 1
	134	+	6. calledFrom: 0x7ffeb7f74b60 - stack: 0xdc5eaffd08 - frame: 0xdc5eaffd00 - ret: 0x7ffeb7f74b60 - skip? 1
	135	+	7. calledFrom: 0x7ffeb7f74b60 - stack: 0xdc5eaffd10 - frame: 0xdc5eaffd08 - ret: 0x7ffeb7f74b60 - skip? 1
	136	+	8. calledFrom: 0x7ffeb7f74b60 - stack: 0xdc5eaffd18 - frame: 0xdc5eaffd10 - ret: 0x7ffeb7f74b60 - skip? 1
	137	+	9. calledFrom: 0x7ffeb7f74b60 - stack: 0xdc5eaffd20 - frame: 0xdc5eaffd18 - ret: 0x7ffeb7f74b60 - skip? 1
	138	+	Restored: 0x7ffeb7f74b60 -> 0x2550d3ebd51
137	139		Restored: 0x7ffeb7f74b60 -> 0x1388
138		-	Restored: 0x7ffeb7f74b60 -> 0x1f25683ae80
	140	+	Restored: 0x7ffeb7f74b60 -> 0x2550d1ff760
139	141		Restored: 0x7ffeb7f74b60 -> 0x1b000100000004
140		-	Restored: 0x7ffeb7f74b60 -> 0x8003600140000
141		-	Restored: 0x7ffeb7f74b60 -> 0x1f255f76040
142		-	Restored: 0x7ffeb7f74b60 -> 0x1f255d8cd9f
143		-	Restored: 0x7ffeb7f74b60 -> 0x1f255d8cdd0
	142	+	Restored: 0x7ffeb7f74b60 -> 0xd00017003a0001
	143	+	Restored: 0x7ffeb7f74b60 -> 0x2550d5b7040
	144	+	Restored: 0x7ffeb7f74b60 -> 0x2550d3ccd9f
	145	+	Restored: 0x7ffeb7f74b60 -> 0x2550d3ccdd0
144	146		```
145	147
146	148
		skipped 7 lines

readme