├── .gitignore
├── Call_Stack_Spoofing.sln
├── Call_Stack_Spoofing.vcxproj
├── Call_Stack_Spoofing.vcxproj.filters
├── LICENSE
├── README.md
├── main.c
├── spoof.asm
├── spoofer.h
└── structs.h


/.gitignore:
--------------------------------------------------------------------------------
  1 | ## Ignore Visual Studio temporary files, build results, and
  2 | ## files generated by popular Visual Studio add-ons.
  3 | ##
  4 | ## Get latest from https://github.com/github/gitignore/blob/main/VisualStudio.gitignore
  5 | 
  6 | # User-specific files
  7 | *.rsuser
  8 | *.suo
  9 | *.user
 10 | *.userosscache
 11 | *.sln.docstates
 12 | 
 13 | # User-specific files (MonoDevelop/Xamarin Studio)
 14 | *.userprefs
 15 | 
 16 | # Mono auto generated files
 17 | mono_crash.*
 18 | 
 19 | # Build results
 20 | [Dd]ebug/
 21 | [Dd]ebugPublic/
 22 | [Rr]elease/
 23 | [Rr]eleases/
 24 | x64/
 25 | x86/
 26 | [Ww][Ii][Nn]32/
 27 | [Aa][Rr][Mm]/
 28 | [Aa][Rr][Mm]64/
 29 | bld/
 30 | [Bb]in/
 31 | [Oo]bj/
 32 | [Ll]og/
 33 | [Ll]ogs/
 34 | 
 35 | # Visual Studio 2015/2017 cache/options directory
 36 | .vs/
 37 | # Uncomment if you have tasks that create the project's static files in wwwroot
 38 | #wwwroot/
 39 | 
 40 | # Visual Studio 2017 auto generated files
 41 | Generated\ Files/
 42 | 
 43 | # MSTest test Results
 44 | [Tt]est[Rr]esult*/
 45 | [Bb]uild[Ll]og.*
 46 | 
 47 | # NUnit
 48 | *.VisualState.xml
 49 | TestResult.xml
 50 | nunit-*.xml
 51 | 
 52 | # Build Results of an ATL Project
 53 | [Dd]ebugPS/
 54 | [Rr]eleasePS/
 55 | dlldata.c
 56 | 
 57 | # Benchmark Results
 58 | BenchmarkDotNet.Artifacts/
 59 | 
 60 | # .NET Core
 61 | project.lock.json
 62 | project.fragment.lock.json
 63 | artifacts/
 64 | 
 65 | # ASP.NET Scaffolding
 66 | ScaffoldingReadMe.txt
 67 | 
 68 | # StyleCop
 69 | StyleCopReport.xml
 70 | 
 71 | # Files built by Visual Studio
 72 | *_i.c
 73 | *_p.c
 74 | *_h.h
 75 | *.ilk
 76 | *.meta
 77 | *.obj
 78 | *.iobj
 79 | *.pch
 80 | *.pdb
 81 | *.ipdb
 82 | *.pgc
 83 | *.pgd
 84 | *.rsp
 85 | *.sbr
 86 | *.tlb
 87 | *.tli
 88 | *.tlh
 89 | *.tmp
 90 | *.tmp_proj
 91 | *_wpftmp.csproj
 92 | *.log
 93 | *.tlog
 94 | *.vspscc
 95 | *.vssscc
 96 | .builds
 97 | *.pidb
 98 | *.svclog
 99 | *.scc
100 | 
101 | # Chutzpah Test files
102 | _Chutzpah*
103 | 
104 | # Visual C++ cache files
105 | ipch/
106 | *.aps
107 | *.ncb
108 | *.opendb
109 | *.opensdf
110 | *.sdf
111 | *.cachefile
112 | *.VC.db
113 | *.VC.VC.opendb
114 | 
115 | # Visual Studio profiler
116 | *.psess
117 | *.vsp
118 | *.vspx
119 | *.sap
120 | 
121 | # Visual Studio Trace Files
122 | *.e2e
123 | 
124 | # TFS 2012 Local Workspace
125 | $tf/
126 | 
127 | # Guidance Automation Toolkit
128 | *.gpState
129 | 
130 | # ReSharper is a .NET coding add-in
131 | _ReSharper*/
132 | *.[Rr]e[Ss]harper
133 | *.DotSettings.user
134 | 
135 | # TeamCity is a build add-in
136 | _TeamCity*
137 | 
138 | # DotCover is a Code Coverage Tool
139 | *.dotCover
140 | 
141 | # AxoCover is a Code Coverage Tool
142 | .axoCover/*
143 | !.axoCover/settings.json
144 | 
145 | # Coverlet is a free, cross platform Code Coverage Tool
146 | coverage*.json
147 | coverage*.xml
148 | coverage*.info
149 | 
150 | # Visual Studio code coverage results
151 | *.coverage
152 | *.coveragexml
153 | 
154 | # NCrunch
155 | _NCrunch_*
156 | .*crunch*.local.xml
157 | nCrunchTemp_*
158 | 
159 | # MightyMoose
160 | *.mm.*
161 | AutoTest.Net/
162 | 
163 | # Web workbench (sass)
164 | .sass-cache/
165 | 
166 | # Installshield output folder
167 | [Ee]xpress/
168 | 
169 | # DocProject is a documentation generator add-in
170 | DocProject/buildhelp/
171 | DocProject/Help/*.HxT
172 | DocProject/Help/*.HxC
173 | DocProject/Help/*.hhc
174 | DocProject/Help/*.hhk
175 | DocProject/Help/*.hhp
176 | DocProject/Help/Html2
177 | DocProject/Help/html
178 | 
179 | # Click-Once directory
180 | publish/
181 | 
182 | # Publish Web Output
183 | *.[Pp]ublish.xml
184 | *.azurePubxml
185 | # Note: Comment the next line if you want to checkin your web deploy settings,
186 | # but database connection strings (with potential passwords) will be unencrypted
187 | *.pubxml
188 | *.publishproj
189 | 
190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
191 | # checkin your Azure Web App publish settings, but sensitive information contained
192 | # in these scripts will be unencrypted
193 | PublishScripts/
194 | 
195 | # NuGet Packages
196 | *.nupkg
197 | # NuGet Symbol Packages
198 | *.snupkg
199 | # The packages folder can be ignored because of Package Restore
200 | **/[Pp]ackages/*
201 | # except build/, which is used as an MSBuild target.
202 | !**/[Pp]ackages/build/
203 | # Uncomment if necessary however generally it will be regenerated when needed
204 | #!**/[Pp]ackages/repositories.config
205 | # NuGet v3's project.json files produces more ignorable files
206 | *.nuget.props
207 | *.nuget.targets
208 | 
209 | # Microsoft Azure Build Output
210 | csx/
211 | *.build.csdef
212 | 
213 | # Microsoft Azure Emulator
214 | ecf/
215 | rcf/
216 | 
217 | # Windows Store app package directories and files
218 | AppPackages/
219 | BundleArtifacts/
220 | Package.StoreAssociation.xml
221 | _pkginfo.txt
222 | *.appx
223 | *.appxbundle
224 | *.appxupload
225 | 
226 | # Visual Studio cache files
227 | # files ending in .cache can be ignored
228 | *.[Cc]ache
229 | # but keep track of directories ending in .cache
230 | !?*.[Cc]ache/
231 | 
232 | # Others
233 | ClientBin/
234 | ~$*
235 | *~
236 | *.dbmdl
237 | *.dbproj.schemaview
238 | *.jfm
239 | *.pfx
240 | *.publishsettings
241 | orleans.codegen.cs
242 | 
243 | # Including strong name files can present a security risk
244 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
245 | #*.snk
246 | 
247 | # Since there are multiple workflows, uncomment next line to ignore bower_components
248 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
249 | #bower_components/
250 | 
251 | # RIA/Silverlight projects
252 | Generated_Code/
253 | 
254 | # Backup & report files from converting an old project file
255 | # to a newer Visual Studio version. Backup files are not needed,
256 | # because we have git ;-)
257 | _UpgradeReport_Files/
258 | Backup*/
259 | UpgradeLog*.XML
260 | UpgradeLog*.htm
261 | ServiceFabricBackup/
262 | *.rptproj.bak
263 | 
264 | # SQL Server files
265 | *.mdf
266 | *.ldf
267 | *.ndf
268 | 
269 | # Business Intelligence projects
270 | *.rdl.data
271 | *.bim.layout
272 | *.bim_*.settings
273 | *.rptproj.rsuser
274 | *- [Bb]ackup.rdl
275 | *- [Bb]ackup ([0-9]).rdl
276 | *- [Bb]ackup ([0-9][0-9]).rdl
277 | 
278 | # Microsoft Fakes
279 | FakesAssemblies/
280 | 
281 | # GhostDoc plugin setting file
282 | *.GhostDoc.xml
283 | 
284 | # Node.js Tools for Visual Studio
285 | .ntvs_analysis.dat
286 | node_modules/
287 | 
288 | # Visual Studio 6 build log
289 | *.plg
290 | 
291 | # Visual Studio 6 workspace options file
292 | *.opt
293 | 
294 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
295 | *.vbw
296 | 
297 | # Visual Studio 6 auto-generated project file (contains which files were open etc.)
298 | *.vbp
299 | 
300 | # Visual Studio 6 workspace and project file (working project files containing files to include in project)
301 | *.dsw
302 | *.dsp
303 | 
304 | # Visual Studio 6 technical files
305 | *.ncb
306 | *.aps
307 | 
308 | # Visual Studio LightSwitch build output
309 | **/*.HTMLClient/GeneratedArtifacts
310 | **/*.DesktopClient/GeneratedArtifacts
311 | **/*.DesktopClient/ModelManifest.xml
312 | **/*.Server/GeneratedArtifacts
313 | **/*.Server/ModelManifest.xml
314 | _Pvt_Extensions
315 | 
316 | # Paket dependency manager
317 | .paket/paket.exe
318 | paket-files/
319 | 
320 | # FAKE - F# Make
321 | .fake/
322 | 
323 | # CodeRush personal settings
324 | .cr/personal
325 | 
326 | # Python Tools for Visual Studio (PTVS)
327 | __pycache__/
328 | *.pyc
329 | 
330 | # Cake - Uncomment if you are using it
331 | # tools/**
332 | # !tools/packages.config
333 | 
334 | # Tabs Studio
335 | *.tss
336 | 
337 | # Telerik's JustMock configuration file
338 | *.jmconfig
339 | 
340 | # BizTalk build output
341 | *.btp.cs
342 | *.btm.cs
343 | *.odx.cs
344 | *.xsd.cs
345 | 
346 | # OpenCover UI analysis results
347 | OpenCover/
348 | 
349 | # Azure Stream Analytics local run output
350 | ASALocalRun/
351 | 
352 | # MSBuild Binary and Structured Log
353 | *.binlog
354 | 
355 | # NVidia Nsight GPU debugger configuration file
356 | *.nvuser
357 | 
358 | # MFractors (Xamarin productivity tool) working folder
359 | .mfractor/
360 | 
361 | # Local History for Visual Studio
362 | .localhistory/
363 | 
364 | # Visual Studio History (VSHistory) files
365 | .vshistory/
366 | 
367 | # BeatPulse healthcheck temp database
368 | healthchecksdb
369 | 
370 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
371 | MigrationBackup/
372 | 
373 | # Ionide (cross platform F# VS Code tools) working folder
374 | .ionide/
375 | 
376 | # Fody - auto-generated XML schema
377 | FodyWeavers.xsd
378 | 
379 | # VS Code files for those working on multiple tools
380 | .vscode/*
381 | !.vscode/settings.json
382 | !.vscode/tasks.json
383 | !.vscode/launch.json
384 | !.vscode/extensions.json
385 | *.code-workspace
386 | 
387 | # Local History for Visual Studio Code
388 | .history/
389 | 
390 | # Windows Installer files from build outputs
391 | *.cab
392 | *.msi
393 | *.msix
394 | *.msm
395 | *.msp
396 | 
397 | # JetBrains Rider
398 | *.sln.iml
399 | 


--------------------------------------------------------------------------------
/Call_Stack_Spoofing.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 17
 4 | VisualStudioVersion = 17.11.35222.181
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Call_Stack_Spoofing", "Call_Stack_Spoofing.vcxproj", "{A0417154-1CB0-4B72-A4ED-1CB64706D807}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Debug|x86 = Debug|x86
12 | 		Release|x64 = Release|x64
13 | 		Release|x86 = Release|x86
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{A0417154-1CB0-4B72-A4ED-1CB64706D807}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{A0417154-1CB0-4B72-A4ED-1CB64706D807}.Debug|x64.Build.0 = Debug|x64
18 | 		{A0417154-1CB0-4B72-A4ED-1CB64706D807}.Debug|x86.ActiveCfg = Debug|Win32
19 | 		{A0417154-1CB0-4B72-A4ED-1CB64706D807}.Debug|x86.Build.0 = Debug|Win32
20 | 		{A0417154-1CB0-4B72-A4ED-1CB64706D807}.Release|x64.ActiveCfg = Release|x64
21 | 		{A0417154-1CB0-4B72-A4ED-1CB64706D807}.Release|x64.Build.0 = Release|x64
22 | 		{A0417154-1CB0-4B72-A4ED-1CB64706D807}.Release|x86.ActiveCfg = Release|Win32
23 | 		{A0417154-1CB0-4B72-A4ED-1CB64706D807}.Release|x86.Build.0 = Release|Win32
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | 	GlobalSection(ExtensibilityGlobals) = postSolution
29 | 		SolutionGuid = {DD4A3A46-CA0C-4850-A2D6-AA0016E56C35}
30 | 	EndGlobalSection
31 | EndGlobal
32 | 


--------------------------------------------------------------------------------
/Call_Stack_Spoofing.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>17.0</VCProjectVersion>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <ProjectGuid>{a0417154-1cb0-4b72-a4ed-1cb64706d807}</ProjectGuid>
 25 |     <RootNamespace>CallStackSpoofing</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 27 |   </PropertyGroup>
 28 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 29 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 30 |     <ConfigurationType>Application</ConfigurationType>
 31 |     <UseDebugLibraries>true</UseDebugLibraries>
 32 |     <PlatformToolset>v143</PlatformToolset>
 33 |     <CharacterSet>Unicode</CharacterSet>
 34 |   </PropertyGroup>
 35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 36 |     <ConfigurationType>Application</ConfigurationType>
 37 |     <UseDebugLibraries>false</UseDebugLibraries>
 38 |     <PlatformToolset>v143</PlatformToolset>
 39 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 40 |     <CharacterSet>Unicode</CharacterSet>
 41 |   </PropertyGroup>
 42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 43 |     <ConfigurationType>Application</ConfigurationType>
 44 |     <UseDebugLibraries>true</UseDebugLibraries>
 45 |     <PlatformToolset>v143</PlatformToolset>
 46 |     <CharacterSet>Unicode</CharacterSet>
 47 |   </PropertyGroup>
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 49 |     <ConfigurationType>Application</ConfigurationType>
 50 |     <UseDebugLibraries>false</UseDebugLibraries>
 51 |     <PlatformToolset>v143</PlatformToolset>
 52 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 53 |     <CharacterSet>Unicode</CharacterSet>
 54 |   </PropertyGroup>
 55 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 56 |   <ImportGroup Label="ExtensionSettings">
 57 |     <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
 58 |   </ImportGroup>
 59 |   <ImportGroup Label="Shared">
 60 |   </ImportGroup>
 61 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 62 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 63 |   </ImportGroup>
 64 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 65 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 66 |   </ImportGroup>
 67 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 68 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 69 |   </ImportGroup>
 70 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 71 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 72 |   </ImportGroup>
 73 |   <PropertyGroup Label="UserMacros" />
 74 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 75 |     <ClCompile>
 76 |       <WarningLevel>Level3</WarningLevel>
 77 |       <SDLCheck>true</SDLCheck>
 78 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 79 |       <ConformanceMode>true</ConformanceMode>
 80 |     </ClCompile>
 81 |     <Link>
 82 |       <SubSystem>Console</SubSystem>
 83 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 84 |     </Link>
 85 |   </ItemDefinitionGroup>
 86 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 87 |     <ClCompile>
 88 |       <WarningLevel>Level3</WarningLevel>
 89 |       <FunctionLevelLinking>true</FunctionLevelLinking>
 90 |       <IntrinsicFunctions>true</IntrinsicFunctions>
 91 |       <SDLCheck>true</SDLCheck>
 92 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 93 |       <ConformanceMode>true</ConformanceMode>
 94 |     </ClCompile>
 95 |     <Link>
 96 |       <SubSystem>Console</SubSystem>
 97 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
 98 |       <OptimizeReferences>true</OptimizeReferences>
 99 |       <GenerateDebugInformation>true</GenerateDebugInformation>
100 |     </Link>
101 |   </ItemDefinitionGroup>
102 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
103 |     <ClCompile>
104 |       <WarningLevel>Level3</WarningLevel>
105 |       <SDLCheck>true</SDLCheck>
106 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
107 |       <ConformanceMode>true</ConformanceMode>
108 |       <BufferSecurityCheck>false</BufferSecurityCheck>
109 |     </ClCompile>
110 |     <Link>
111 |       <SubSystem>Console</SubSystem>
112 |       <GenerateDebugInformation>true</GenerateDebugInformation>
113 |     </Link>
114 |   </ItemDefinitionGroup>
115 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
116 |     <ClCompile>
117 |       <WarningLevel>Level3</WarningLevel>
118 |       <FunctionLevelLinking>true</FunctionLevelLinking>
119 |       <IntrinsicFunctions>true</IntrinsicFunctions>
120 |       <SDLCheck>true</SDLCheck>
121 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
122 |       <ConformanceMode>true</ConformanceMode>
123 |       <BufferSecurityCheck>false</BufferSecurityCheck>
124 |     </ClCompile>
125 |     <Link>
126 |       <SubSystem>Console</SubSystem>
127 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
128 |       <OptimizeReferences>true</OptimizeReferences>
129 |       <GenerateDebugInformation>true</GenerateDebugInformation>
130 |     </Link>
131 |   </ItemDefinitionGroup>
132 |   <ItemGroup>
133 |     <ClInclude Include="spoofer.h" />
134 |     <ClInclude Include="structs.h" />
135 |   </ItemGroup>
136 |   <ItemGroup>
137 |     <ClCompile Include="main.c" />
138 |   </ItemGroup>
139 |   <ItemGroup>
140 |     <MASM Include="spoof.asm">
141 |       <FileType>Document</FileType>
142 |     </MASM>
143 |   </ItemGroup>
144 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
145 |   <ImportGroup Label="ExtensionTargets">
146 |     <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
147 |   </ImportGroup>
148 | </Project>


--------------------------------------------------------------------------------
/Call_Stack_Spoofing.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClInclude Include="structs.h">
19 |       <Filter>Header Files</Filter>
20 |     </ClInclude>
21 |     <ClInclude Include="spoofer.h">
22 |       <Filter>Header Files</Filter>
23 |     </ClInclude>
24 |   </ItemGroup>
25 |   <ItemGroup>
26 |     <ClCompile Include="main.c">
27 |       <Filter>Source Files</Filter>
28 |     </ClCompile>
29 |   </ItemGroup>
30 |   <ItemGroup>
31 |     <MASM Include="spoof.asm">
32 |       <Filter>Source Files</Filter>
33 |     </MASM>
34 |   </ItemGroup>
35 | </Project>


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2024 HulkOperator
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # CallStackSpoofer
2 | 
3 | This project is a pingback to my [blog post](https://hulkops.gitbook.io/blog/red-team/x64-call-stack-spoofing)
4 | 


--------------------------------------------------------------------------------
/main.c:
--------------------------------------------------------------------------------
 1 | #include <Windows.h>
 2 | 
 3 | #include "spoofer.h"
 4 | 
 5 | int main() {
 6 | 
 7 | 	HMODULE pUser32 = LoadLibraryA("User32");
 8 | 	UINT64 pMessageBoxA = GetProcAddress(pUser32, "MessageBoxA");
 9 | 
10 | 	for (int i = 0; i < 5; i ++)
11 | 		CallStackSpoof(pMessageBoxA, 4, NULL, "Text", "Caption", MB_YESNO);
12 | 
13 | 
14 | 	printf("Clean Exit\n");
15 | }
16 | 


--------------------------------------------------------------------------------
/spoof.asm:
--------------------------------------------------------------------------------
  1 | .code
  2 | 
  3 | STACK_INFO STRUCT
  4 | 	pRtlUserThreadStart_RetAddr		DQ 1
  5 | 	dwRtlUserThreadStart_Size		DQ 1
  6 | 
  7 | 	pBaseThreadInitThunk_RedAddr	DQ 1
  8 | 	dwBaseThreadInitThunk_Size		DQ 1
  9 | 
 10 | 	pGadgetAddr						DQ 1
 11 | 	dwGadget_Size					DQ 1
 12 | 
 13 | 	pTargetFunction					DQ 1
 14 | 	pRbx							DQ 1
 15 | 	dwNumberOfArgs					DQ 1
 16 | 	pArgs							DQ 1
 17 | STACK_INFO ENDS
 18 | 
 19 | 
 20 | Spoof PROC
 21 | 	
 22 | 	pop r15														; Top of the stack will have return address of the Function which has called this Spoof Function
 23 | 																; When this Spoof function completes execution, we can use this value to resume the normal execution flow
 24 | 
 25 | 	mov r13, rcx												; r13 now point to STACK_INFO struct
 26 | 
 27 | 	;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 28 | 	;			Creating Synthetic Frames
 29 | 	;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 30 | 
 31 | 	push 0														; This will terminate the Stack Unwinding
 32 | 
 33 | 	; Creating The First Thread Initialising Frame
 34 | 
 35 | 	mov r10, [r13].STACK_INFO.dwRtlUserThreadStart_Size			; Size of RtlUserThreadStart
 36 | 	sub rsp, r10
 37 | 	mov r10, [r13].STACK_INFO.pRtlUserThreadStart_RetAddr
 38 | 	push r10													; Pusing the Return Address to RtlUserThreadStart
 39 | 
 40 | 	; Creating The Second Thread Initialising Frame
 41 | 
 42 | 	mov r10, [r13].STACK_INFO.dwBaseThreadInitThunk_Size		; Size of BaseThreadInitThunk
 43 | 	sub rsp, r10
 44 | 	mov r10, [r13].STACK_INFO.pBaseThreadInitThunk_RedAddr
 45 | 	push r10													; Pusing the Return Address to BaseThreadInitThunk
 46 | 
 47 | 	; Creating the Gadget's Frame
 48 | 
 49 | 	mov r10, [r13].STACK_INFO.dwGadget_Size						; Size of Gadget's Frame
 50 | 	sub rsp, r10
 51 | 	mov r10, [r13].STACK_INFO.pGadgetAddr	
 52 | 	push r10													; Pushing the Return Address to Gadget's Address
 53 | 
 54 | 
 55 | 	;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 56 | 	;			Configuring Arguments
 57 | 	;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 58 | 
 59 | 	; Configuring first 4 arguments in the registers
 60 | 
 61 | 	lea r10, [r13].STACK_INFO.pArgs
 62 | 	mov rcx, [r10]
 63 | 	mov rdx, [r10 + 8]
 64 | 	mov r8, [r10 + 16]
 65 | 	mov r9, [r10 + 24]
 66 | 
 67 | 	mov rbp,  [r13].STACK_INFO.dwNumberOfArgs
 68 | 	sub rbp, 4
 69 | 
 70 | 	; Looping to Configure Additional Arguments on the Stack
 71 | loop_start:
 72 | 	cmp rbp, 0
 73 | 	jle setup_rbx
 74 | 	mov r11, [r10 + rbp*8]
 75 | 	mov [rsp + 40 + rbp*8], r11
 76 | 	dec rbp
 77 | 	jmp loop_start
 78 | 
 79 | 	;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 80 | 	;			Setting Up RBX
 81 | 	;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 82 | 
 83 | 	; Configure the Pointer to "restore" in rbx
 84 | 
 85 | setup_rbx:
 86 | 	mov r10, restore
 87 | 	mov [r13].STACK_INFO.pRbx, r10
 88 | 	lea rbx, [r13].STACK_INFO.pRbx
 89 | 	
 90 | 	;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 91 | 	;			Executing the Target WinAPI
 92 | 	;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 93 | 
 94 | 	; JMP to the Target Function
 95 | 
 96 | 	mov r10, [r13].STACK_INFO.pTargetFunction
 97 | 	jmp r10
 98 | 
 99 | 
100 | 	;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
101 | 	;			Restoring the Stack
102 | 	;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
103 | 
104 | 	; Restoring the Stack to Original State (Before Spoof Function was called)
105 | 
106 | restore:
107 | 	add rsp, 24													; Reversing the effect of Pushing 3 return addresses
108 | 
109 | 	mov r10, [r13].STACK_INFO.dwRtlUserThreadStart_Size
110 | 	add rsp, r10
111 | 
112 | 	mov r10, [r13].STACK_INFO.dwBaseThreadInitThunk_Size
113 | 	add rsp, r10
114 | 
115 | 	mov r10, [r13].STACK_INFO.dwGadget_Size
116 | 	add rsp, r10
117 | 
118 | 	jmp r15
119 | 
120 | Spoof ENDP
121 | end


--------------------------------------------------------------------------------
/spoofer.h:
--------------------------------------------------------------------------------
  1 | #include <stdio.h>
  2 | #include <Windows.h>
  3 | #include <time.h>
  4 | #include <stdlib.h>
  5 | 
  6 | #include "structs.h"
  7 | 
  8 | extern PVOID Spoof(PSTACK_INFO);
  9 | 
 10 | typedef struct _EXCEPTION_INFO {
 11 | 
 12 | 	UINT64 hModule;
 13 | 	UINT64 pExceptionDirectory;
 14 | 	DWORD dwRuntimeFunctionCount;
 15 | 
 16 | }EXCEPTION_INFO, *PEXCEPTION_INFO;
 17 | 
 18 | VOID RetExceptionAddress(PEXCEPTION_INFO pExceptionInfo) {
 19 | 
 20 | 	UINT64 pImgNtHdr, hModule;
 21 | 	PIMAGE_OPTIONAL_HEADER64 pImgOptHdr;
 22 | 
 23 | 	hModule = pExceptionInfo->hModule;
 24 | 
 25 | 	pImgNtHdr = hModule + ((PIMAGE_DOS_HEADER)hModule)->e_lfanew;
 26 | 	pImgOptHdr = &((PIMAGE_NT_HEADERS64)pImgNtHdr)->OptionalHeader;
 27 | 
 28 | 	pExceptionInfo->pExceptionDirectory = hModule + pImgOptHdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXCEPTION].VirtualAddress;
 29 | 	pExceptionInfo->dwRuntimeFunctionCount = pImgOptHdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXCEPTION].Size / sizeof(RUNTIME_FUNCTION);
 30 | 
 31 | }
 32 | 
 33 | UINT64 RetStackSize(UINT64 hModule, UINT64 pFuncAddr) {
 34 | 
 35 | 	EXCEPTION_INFO sExceptionInfo = { 0 };
 36 | 	sExceptionInfo.hModule = hModule;
 37 | 
 38 | 	RetExceptionAddress(&sExceptionInfo);
 39 | 
 40 | 	PRUNTIME_FUNCTION pRuntimeFunction = (PRUNTIME_FUNCTION)sExceptionInfo.pExceptionDirectory;
 41 | 	DWORD dwFuncOffset = pFuncAddr - hModule;
 42 | 	PUNWIND_INFO pUnwindInfo;
 43 | 	PUNWIND_CODE pUnwindCode;
 44 | 	UINT64 dwStackSize = 0;
 45 | 	
 46 | 
 47 | 	// Loop Through RunTimeFunction structures until we find the structure for our target function
 48 | 	for (int i = 0; i < sExceptionInfo.dwRuntimeFunctionCount; i++) {
 49 | 		if (dwFuncOffset >= pRuntimeFunction->BeginAddress && dwFuncOffset <= pRuntimeFunction->EndAddress) {
 50 | 			break;
 51 | 		}
 52 | 
 53 | 		pRuntimeFunction++;
 54 | 	}
 55 | 
 56 | 	// From the RunTimeFunction structure we need the offset to UnwindInfo structure
 57 | 
 58 | 	pUnwindInfo = ((PUNWIND_INFO)(hModule + pRuntimeFunction->UnwindInfoAddress));
 59 | 
 60 | 	// Loop Through the UnwindCodes 
 61 | 	pUnwindCode = pUnwindInfo->UnwindCode; // UnwindCode Array
 62 | 
 63 | 	for (int i = 0; i < pUnwindInfo->CountOfUnwindCodes; i++) {
 64 | 
 65 | 		UBYTE bUnwindCode = pUnwindCode[i].UnwindOp;
 66 | 
 67 | 		switch (bUnwindCode)
 68 | 		{
 69 | 		case UWOP_ALLOC_SMALL:
 70 | 			dwStackSize += (pUnwindCode[i].OpInfo + 1) * 8;
 71 | 			break;
 72 | 		case UWOP_PUSH_NONVOL:
 73 | 			if (pUnwindCode[i].OpInfo == 4)
 74 | 				return 0;
 75 | 			dwStackSize += 8;
 76 | 			break;
 77 | 		case UWOP_ALLOC_LARGE:
 78 | 			if (pUnwindCode[i].OpInfo == 0) {
 79 | 				dwStackSize += pUnwindCode[i + 1].FrameOffset * 8;
 80 | 				i++;
 81 | 			}
 82 | 			else {
 83 | 
 84 | 				dwStackSize += *(ULONG*)(&pUnwindCode[i + 1]);
 85 | 				i += 2;
 86 | 
 87 | 			}
 88 | 			break;
 89 | 		case UWOP_PUSH_MACHFRAME:
 90 | 			if (pUnwindCode[i].OpInfo == 0)
 91 | 				dwStackSize += 40;
 92 | 			else
 93 | 				dwStackSize += 48;
 94 | 		case UWOP_SAVE_NONVOL:
 95 | 			i++;
 96 | 			break;
 97 | 		case UWOP_SAVE_NONVOL_FAR:
 98 | 			i += 2;
 99 | 			break;
100 | 		default:
101 | 			break;
102 | 		}
103 | 
104 | 
105 | 	}
106 | 
107 | 	return dwStackSize;
108 | 
109 | }
110 | 
111 | 
112 | 
113 | PVOID RetGadget(UINT64 hModule) {
114 | 
115 | 	PVOID pGadget = NULL;
116 | 	int r = rand() % 2, count = 0;
117 | 	
118 | 	DWORD dwSize = ((PIMAGE_NT_HEADERS64)(hModule + ((PIMAGE_DOS_HEADER)hModule)->e_lfanew))->OptionalHeader.SizeOfImage;
119 | 
120 | 	for (int i = 0; i < dwSize - 1; i++) {
121 | 
122 | 		if (((PBYTE)hModule)[i] == 0xff && ((PBYTE)hModule)[i+1] == 0x23) {
123 | 			pGadget = hModule + i;
124 | 			if (count >= r) {
125 | 				break;
126 | 			}
127 | 			count ++;
128 | 		}
129 | 	}
130 | 	return pGadget;
131 | }
132 | 
133 | PVOID CallStackSpoof(UINT64 pTargetFunction, DWORD dwNumberOfArgs, ...) {
134 | 
135 | 	srand((time(0)));
136 | 	va_list va_args;
137 | 	STACK_INFO sStackInfo = { 0 };
138 | 	UINT64 pGadget, pRtlUserThreadStart, pBaseThreadInitThunk;
139 | 	UINT64 pNtdll, pKernel32;
140 | 
141 | 	pNtdll = GetModuleHandleA("ntdll");
142 | 	pKernel32 = GetModuleHandleA("kernel32");
143 | 
144 | 	pGadget = RetGadget(pKernel32);
145 | 	pRtlUserThreadStart = GetProcAddress(pNtdll, "RtlUserThreadStart");
146 | 	pBaseThreadInitThunk = GetProcAddress(pKernel32, "BaseThreadInitThunk");
147 | 
148 | 	sStackInfo.pGadgetAddress = pGadget;
149 | 	sStackInfo.dwGadgetSize = RetStackSize(pKernel32, pGadget);
150 | 	sStackInfo.pRtlUserThreadStart = pRtlUserThreadStart + 0x21;
151 | 	sStackInfo.dwRtlUserThreadStartSize = RetStackSize(pNtdll, pRtlUserThreadStart);
152 | 	sStackInfo.pBaseThreadInitThunk = pBaseThreadInitThunk + 0x14;
153 | 	sStackInfo.dwBaseThreadInitThunk = RetStackSize(pKernel32, pBaseThreadInitThunk);
154 | 	sStackInfo.pTargetFunction = pTargetFunction;
155 | 
156 | 	if (dwNumberOfArgs <= 4)
157 | 		sStackInfo.dwNumberOfArguments = 4;
158 | 	else if (dwNumberOfArgs % 2 != 0)
159 | 		sStackInfo.dwNumberOfArguments = dwNumberOfArgs + 1;
160 | 	else
161 | 		sStackInfo.dwNumberOfArguments = dwNumberOfArgs;
162 | 
163 | 	sStackInfo.pArgs = malloc(8 * sStackInfo.dwNumberOfArguments);
164 | 
165 | 	va_start(va_args, dwNumberOfArgs);
166 | 	for (int i = 0; i < dwNumberOfArgs; i++) {
167 | 
168 | 		(&sStackInfo.pArgs)[i] = va_arg(va_args, UINT64);
169 | 
170 | 	}
171 | 	va_end(va_args);
172 | 	return Spoof(&sStackInfo);
173 | 
174 | }
175 | 
176 | 


--------------------------------------------------------------------------------
/structs.h:
--------------------------------------------------------------------------------
 1 | #include <Windows.h>
 2 | 
 3 | 
 4 | typedef UCHAR UBYTE;
 5 | 
 6 | typedef enum _UNWIND_OP_CODES {
 7 | 	UWOP_PUSH_NONVOL,
 8 | 	UWOP_ALLOC_LARGE,
 9 | 	UWOP_ALLOC_SMALL,
10 | 	UWOP_SET_FPREG,
11 | 	UWOP_SAVE_NONVOL,
12 | 	UWOP_SAVE_NONVOL_FAR,
13 | 	UWOP_PUSH_MACHFRAME = 10
14 | };
15 | 
16 | typedef union _UNWIND_CODE
17 | {
18 | 	struct
19 | 	{
20 | 		UBYTE CodeOffset;
21 | 		UBYTE UnwindOp : 4;
22 | 		UBYTE OpInfo : 4;
23 | 	};
24 | 	USHORT FrameOffset;
25 | } UNWIND_CODE, * PUNWIND_CODE;
26 | 
27 | typedef struct _UNWIND_INFO {
28 | 	UCHAR Version : 3;
29 | 	UCHAR Flags : 5;
30 | 	UCHAR SizeOfPrologue;
31 | 	UCHAR CountOfUnwindCodes;
32 | 	UCHAR FrameRegister : 4;
33 | 	UCHAR FrameRegisterOffset : 4;
34 | 	UNWIND_CODE UnwindCode[1];
35 | 
36 | 	union {
37 | 		OPTIONAL ULONG ExceptionHandler;
38 | 		OPTIONAL ULONG FunctionEntry;
39 | 	};
40 | 	OPTIONAL ULONG ExceptionData[];
41 | 
42 | } UNWIND_INFO, * PUNWIND_INFO;
43 | 
44 | typedef struct _STACK_INFO {
45 | 
46 | 	UINT64 pRtlUserThreadStart;
47 | 	UINT64 dwRtlUserThreadStartSize;
48 | 
49 | 	UINT64 pBaseThreadInitThunk;
50 | 	UINT64 dwBaseThreadInitThunk;
51 | 
52 | 	UINT64 pGadgetAddress;
53 | 	UINT64 dwGadgetSize;
54 | 
55 | 	UINT64 pTargetFunction;
56 | 	UINT64 dwNumberOfArguments;
57 | 	UINT64 pEbx;
58 | 	PVOID pArgs;
59 | }STACK_INFO, * PSTACK_INFO;


--------------------------------------------------------------------------------