## Actually this is not (yet) a true stack spoofing
50
50
51
-
As it's been pointed out to me, the technique here is not _yet_ truly holding up to its name for being _stack spoofer_. Since we're merely overwriting return addresses on the thread's stack, we're not spoofing the restpart of the stack itself andalso,initscurrentform,where we leave a sequence of `::CreateFileW` addresses acting as an example, we're making the stack non-unwindable.Meaning,thestacklooksratheroddatfirstsight.
51
+
As it's been pointed out to me, the technique here is not _yet_ truly holding up to its name for being a_stack spoofer_. Since we're merely overwriting return addresses on the thread's stack, we're not spoofing the remainingareas of the stack itself.Moreover we leave a sequence of `::CreateFileW` addresses whichlooksveryoddandletthethreadbeunabletounwinditsstack.That'sbecause`CreateFile`wasmeanttosolelyact as an example, we're making the stack non-unwindable butstillobscuringreferencestoourshellcodememorypages.
52
52
53
-
However I'm aware of thisfact, at the moment I've left it as is since I cared mostly about automated scanners that could iterate over processes, enumerate their threads, walk those threads stacks and pick up on any return address pointing back to a non-image memory (such as `SEC_PRIVATE` - the one allocated dynamically by `VirtuaAlloc` and friends). A focused malware analyst would immediately spot the oddity and consider the thread rather unusual, hunting down our implant. More than sure about it. Yet, I don't believe that nowadays automated scanners such as AV/EDR have sorts of heuristics implemented that would _actually walk each thread's stack_ to verify whether its un-windable.
53
+
However I'm aware of theseshortcomings, at the moment I've left it as is since I cared mostly aboutevading automated scanners that could iterate over processes, enumerate their threads, walk those threads stacks and pick up on any return address pointing back to a non-image memory (such as `SEC_PRIVATE` - the one allocated dynamically by `VirtuaAlloc` and friends). A focused malware analyst would immediately spot the oddity and consider the thread rather unusual, hunting down our implant. More than sure about it. Yet, I don't believe that nowadays automated scanners such as AV/EDR have sorts of heuristics implemented that would _actually walk each thread's stack_ to verify whether its un-windable`¯\_(ツ)_/¯`.
54
54
55
-
Surely withthis project (and commercial implemention found in C2 frameworks) AV & EDR vendors havenowreceivedarguments to consider implementing these heuristics.
55
+
Surely this project (and commercial implementation found in C2 frameworks) givesAV & EDR vendors arguments to consider implementing appropriate heuristicscoveringsuchanovelevasiontechnique.
56
56
57
-
The research on this subject is not yet finished and hopefully will result in better quality StackSpoofing in upcoming days. Nonetheless, I'm releasing what I got so far,tosparkle inspirations and interest community into better researching this area.
57
+
The research on the subject is not yet finished and hopefully will result in abetter quality _StackSpoofing_ in upcoming days. Nonetheless, I'm releasing what I got so farinhopeofsparkling inspirations and interest community into further researching this area.
Mariusz B. / mgeeky
committed
3 years ago
1 parent f32a8ddf