crash.software
Projects
Pull Requests
Issues
Builds
ThreadStackSpoofer
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY ThreadStackSpoofer Commits 7ec391c6
🤬
  • ■ ■ ■ ■ ■ ■
    README.md
    skipped 37 lines
    38 38   
    39 39  Function return addresses are scattered all around the thread's stack memory area, pointed to by `RBP/EBP` register. In order to find them on the stack, we need to firstly collect frame pointers, then dereference them for overwriting:
    40 40   
     41 +[!stack frame](images/frame.png)
     42 +(the above image was borrowed from _Eli Bendersky's_ post named [Stack frame layout on x86-64](https://eli.thegreenplace.net/2011/09/06/stack-frame-layout-on-x86-64/))
     43 + 
    41 44  ```
    42 45   *(PULONG_PTR)(frameAddr + sizeof(void*)) = Fake_Return_Address;
    43 46  ```
    skipped 138 lines
Please wait...
Page is in error, reload to recover