The research on the subject is not yet finished and hopefully will result in a better quality _Stack Spoofing_ in upcoming days. Nonetheless, I'm releasing what I got so far in hope of sparkling inspirations and interest community into further researching this area.
58
58
59
+
Next areas improving the outcome are to research how we can _exchange_ or copy stacks from a legitimate thread running `kernel32!Sleep` or possibly by manipulating our Beacon's thread `TEB/TIB` structures and fields such as `TebBaseAddress` by providing shadowed TEB. Another idea is to play with `RBP/EBP` and `RSP/ESP` pointers on a paused Beacon's thread to change stacks in a similar manner to ROP chains.
Mariusz B. / mgeeky
committed
3 years ago
1 parent b3eb38b4