├── LICENSE ├── README.md ├── makefile └── stackMask.c /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2023 White Knight Labs 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # StackMask 2 | 3 | This is a PoC of encrypting the stack prior to custom sleeping by leveraging CPU cycles. This is the code of the relevant blog post: [Masking the Implant with Stack Encryption](https://whiteknightlabs.com/2023/05/02/masking-the-implant-with-stack-encryption/) 4 | 5 | ## Workflow 6 | 7 | Retrieve the RSP address to identify where the stack begins. Then use `VirtualQuery` to retrieve the range of the page of the virtual address space of the calling process, in order to calculate the end of the stack. Before encrypting, suspend the thread to avoid any abnormal behavior. 8 | 9 | ## Demo 10 | 11 | ![stack_encryption_on_runtime](https://whiteknightlabs.com/wp-content/uploads/2023/05/Screenshot-from-2023-05-01-16-02-29.png) 12 | 13 | ## References 14 | The sleep mechanizm is taken from: https://shubakki.github.io/posts/2022/12/detecting-and-evading-sandboxing-through-time-based-evasion/ 15 | 16 | ## Author 17 | Kleiton Kurti ([@kleiton0x00](https://github.com/kleiton0x00)) 18 | -------------------------------------------------------------------------------- /makefile: -------------------------------------------------------------------------------- 1 | CCX64 := x86_64-w64-mingw32-gcc 2 | CCX86 := i686-w64-mingw32-gcc 3 | 4 | OUTX64 := stackMask.exe 5 | 6 | all: x64 7 | 8 | x64: 9 | @ echo Compiling the code... 10 | @ $(CCX64) stackMask.c -o $(OUTX64) 11 | -------------------------------------------------------------------------------- /stackMask.c: -------------------------------------------------------------------------------- 1 | //--------------------- 2 | //Author: Kleiton Kurti 3 | //Twitter: @kleiton0x7e 4 | //---------------------- 5 | //To compile 6 | //x86_64-w64-mingw32-gcc stackMask.c 7 | //---------------------- 8 | //A stack encryptor prior to custom sleeping by leveraging CPU cycles 9 | 10 | #include 11 | #include 12 | #include 13 | 14 | DWORD WINAPI EncryptThread(LPVOID lpParameter); 15 | 16 | unsigned long long __get_timestamp() 17 | { 18 | const size_t UNIX_TIME_START = 0x019DB1DED53E8000; // Start of Unix epoch in ticks. 19 | const size_t TICKS_PER_MILLISECOND = 10000; // A tick is 100ns. 20 | LARGE_INTEGER time; 21 | time.LowPart = *(DWORD*)(0x7FFE0000 + 0x14); // Read LowPart as unsigned long. 22 | time.HighPart = *(long*)(0x7FFE0000 + 0x1c); // Read High1Part as long. 23 | return (unsigned long long)((time.QuadPart - UNIX_TIME_START) / TICKS_PER_MILLISECOND); 24 | } 25 | 26 | void __alt_sleepms(size_t ms) 27 | { 28 | volatile size_t x = rand(); // random buffer var 29 | const unsigned long long end = __get_timestamp() + ms; // calculate when we shall stop sleeping 30 | while (__get_timestamp() < end) { x += 1; } // increment random var by 1 till we reach our endtime 31 | if (__get_timestamp() - end > 2000) return; // Fast Forward check, might need some tuning 32 | } 33 | 34 | int main() { 35 | 36 | //some variables to save on stack 37 | //const char secret[] = "this is my super secret private message stored in stack"; 38 | 39 | // Get the values of RSP via assembly 40 | unsigned char *rsp; 41 | asm("movq %%rsp, %0;" : "=r" (rsp)); 42 | printf("[+] The address of rsp is %p\n", rsp); 43 | 44 | // create a thread to perform the encryption and decryption 45 | HANDLE hThread = CreateThread(NULL, 0, EncryptThread, rsp, 0, NULL); 46 | if (hThread == NULL) { 47 | printf("[-] Failed to create thread\n"); 48 | return 1; 49 | } 50 | 51 | // wait for 2 seconds to allow the thread to perform the encryption 52 | __alt_sleepms(2*1000); //performing a custom sleep for 5 seconds 53 | 54 | // resume the thread to allow it to perform the decryption 55 | printf("[+] Resuming encryption thread\n"); 56 | ResumeThread(hThread); 57 | 58 | // wait for 5 seconds to allow the decryption to finish 59 | printf("[+] Sleeping for 5 seconds...\n"); 60 | __alt_sleepms(5*1000); //performing a custom sleep for 5 seconds 61 | 62 | // suspend the thread again 63 | printf("[+] Suspending encryption thread\n"); 64 | SuspendThread(hThread); 65 | 66 | // clean up and exit 67 | CloseHandle(hThread); 68 | printf("[+] Done\n"); 69 | 70 | return 0; 71 | } 72 | 73 | DWORD WINAPI EncryptThread(LPVOID lpParameter) { 74 | //saving the XOR key in Heap, so it won't get changed during stack encryption 75 | char *key = (char*) malloc(13*sizeof(char)); 76 | strcpy(key, "myprivatekey"); 77 | int keyLength = strlen(key); 78 | 79 | // cast the parameter to the stack pointer 80 | unsigned char *rsp = (unsigned char *) lpParameter; 81 | 82 | // Get the address range of the stack where the shellcode is stored 83 | MEMORY_BASIC_INFORMATION mbi; 84 | VirtualQuery(rsp, &mbi, sizeof(mbi)); 85 | 86 | //calculate the stack Base (bottom of Stack) and the size of it 87 | unsigned char *stackRegion = mbi.BaseAddress - 8192; 88 | unsigned char *stackBase = stackRegion + mbi.RegionSize + 8192; 89 | int stackSize = stackBase - rsp; 90 | printf("[+] The address of stack region: 0x%p\n", stackRegion); 91 | printf("[+] The address of stack base: 0x%p\n", stackBase); 92 | printf("[+] The stack size: %d bytes\n", stackSize); 93 | 94 | // mask the stack with a XOR key 95 | unsigned char *p = (unsigned char *)rsp; 96 | for (int i = 0; i < stackSize; i++) { 97 | *(p++) ^= key[i % keyLength]; 98 | } 99 | 100 | printf("[+] Stack is encrypted\n"); 101 | 102 | // wait to be resumed by the main thread 103 | printf("[+] Encryption thread suspended\n"); 104 | __alt_sleepms(5*1000); //performing a custom sleep for 5 seconds 105 | 106 | // unmask the stack 107 | unsigned char *h = (unsigned char *)rsp; 108 | for (int i = 0; i < stackSize; i++) { 109 | *(h++) ^= key[i % keyLength]; 110 | } 111 | 112 | printf("[+] Stack is decrypted\n"); 113 | free(key); 114 | } 115 | --------------------------------------------------------------------------------