This precise logic is provided by `walkCallStack` and `spoofCallStack` functions in `main.cpp`.
44
44
45
45
46
+
## How do I use it?
47
+
48
+
Look at the code and its implementation, understand the concept and re-implement the concept within your own Shellcode Loaders that you utilise to deliver your Red Team engagements.
49
+
This is an yet another technique for advanced in-memory evasion that increases your Teams' chances for not getting caught by Anti-Viruses, EDRs and Malware Analysts taking look at your implants.
50
+
51
+
While delivering your advanced shellcode loader, you might also want to implement:
52
+
53
+
- **Process Heap Encryption** - take an inspiration from this blog post: [Hook Heaps and Live Free](https://www.arashparsa.com/hook-heaps-and-live-free/) - which can let you evade Beacon configuration extractos like [`BeaconEye`](https://github.com/CCob/BeaconEye)
54
+
- **Change your Beacon's memory pages protection to `RW` (from `RX/RWX`) and encrypt their contents** before sleeping (that could evade scanners such as [`Moneta`](https://github.com/forrest-orr/moneta) or [`pe-sieve`](https://github.com/hasherezade/pe-sieve))
55
+
- **Clean any leftovers from Reflective Loader** to avoid in-memory signatured detections
56
+
- **Unhook everything you might have hooked** (such as AMSI, ETW, WLDP) before sleeping and then re-hook afterwards.
57
+
58
+
46
59
## Demo
47
60
48
61
This is how a call stack may look like when it is **NOT** spoofed:
skipped 6 lines
55
68
56
69
57
70
## Example run
71
+
72
+
Use case:
73
+
74
+
```
75
+
C:\> ThreadStackSpoofer.exe <shellcode> <spoof>
76
+
```
77
+
78
+
Where:
79
+
- `<shellcode>` is a path to the shellcode file
80
+
- `<spoof>` when `1` or `true` will enable thread stack spoofing and anything else disables it.
81
+
58
82
59
83
Example run that spoofs beacon's thread call stack:
Mariusz B. / mgeeky
committed
3 years ago
1 parent 918d1cbd