crash.software
Projects
Pull Requests
Issues
Builds
ThreadStackSpoofer
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY ThreadStackSpoofer Commits 59fbc055
🤬
  • ■ ■ ■ ■ ■ ■
    README.md
    skipped 43 lines
    44 44  ![spoofed](images/spoofed2.png)
    45 45   
    46 46  Above we can see that the last frame on our call stack is our `MySleep` callback.
    47  -One can wonder if that immediately brings opportunities for IOCs hunting for threads having call stacks not unwinding into following two commonly expected thread entry points within system libraries:
     47 +One can wonder does it immediately brings opportunities new IOCs? Hunting rules can look for threads having call stacks not unwinding into following expected thread entry points located within system libraries:
    48 48   
    49 49  ```
    50 50  kernel32!BaseThreadInitThunk+0x14
    51 51  ntdll!RtlUserThreadStart+0x21
    52 52  ```
    53 53   
    54  -However the call stack of spoofed thread may look rather at first, a brief examination of my system shown, that there are other threads having call stacks not unwinding to the above handlers as well:
     54 +However the call stack of the spoofed thread may look rather odd at first, a brief examination of my system shown, that there are other threads not unwinding to the above entry points as well:
    55 55   
    56 56  ![legit call stack](images/legit-call-stack.png)
    57 57   
    skipped 227 lines
Please wait...
Page is in error, reload to recover