WithSecureLabs/CallStackSpoofer WithSecureLabs/CallStackSpoofer

  • Stars
    star
    294
  • Rank 140,416 (Top 3 %)
  • Language
    C++
  • Created about 2 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
WithSecureLabs/CallStackSpoofer
github

WithSecureLabs

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A PoC implementation for spoofing arbitrary call stacks when making sys calls (e.g. grabbing a handle via NtOpenProcess)

CallStackSpoofer

This repository demonstrates a PoC implementation to spoof arbitrary call stacks when making system calls. For a full technical walkthrough please see the accompanying blog post here: https://labs.withsecure.com/blog/spoofing-call-stacks-to-confuse-edrs.

By default it contains three sample call stacks to mimic, which can be selected via supplying either --wmi, --rpc, or --svchost, as demonstrated below:

readmeexample

These call stacks were obtained by running SysMon with process access events enabled and searching for events where lsass was the target of the handle operation.

NB As a word of caution, this PoC was tested on the following Windows build:

  • 10.0.19044.1706 (21h2)

It has not been tested on any other versions and offsets may obviously vary (and hence break) on different Windows builds.

If you are having trouble, one technique to debug errors is to find the process generating OpenProcess events in SysMon and attach to it in WinDbg. Once attached, run bp ntdll!NtOpenProcess and when bp is hit run knf.

This will display output similar to the below, which will contain full symbol resolution and the correct stack utilisation space (indicated by the 'Memory' column):

0:003> knf
 #   Memory  Child-SP          RetAddr               Call Site
00           00000037`f01fe300 00007ffd`221d2ea6     ntdll!NtOpenProcess+0x12
01         8 00000037`f01fe308 00007ffd`1ffee959     KERNELBASE!ProcessIdToSessionId+0x96
02        80 00000037`f01fe388 00007ffd`23b99633     lsm!RpcOpenEnum+0x129
03       430 00000037`f01fe7b8 00007ffd`23b33711     RPCRT4!Invoke+0x73
04        40 00000037`f01fe7f8 00007ffd`23bfd77b     RPCRT4!Ndr64UnmarshallHandle+0xe1
05        70 00000037`f01fe868 00007ffd`23b7d2ac     RPCRT4!Ndr64StubWorker+0xb0b
06       6c0 00000037`f01fef28 00007ffd`23b7a408     RPCRT4!NdrServerCallAll+0x3c
07        50 00000037`f01fef78 00007ffd`23b5a266     RPCRT4!DispatchToStubInCNoAvrf+0x18
08        50 00000037`f01fefc8 00007ffd`23b59bb8     RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x1a6
09        e0 00000037`f01ff0a8 00007ffd`23b68a0f     RPCRT4!RPC_INTERFACE::DispatchToStub+0xf8
0a        70 00000037`f01ff118 00007ffd`23b67e18     RPCRT4!LRPC_SCALL::DispatchRequest+0x31f
0b        d0 00000037`f01ff1e8 00007ffd`23b67401     RPCRT4!LRPC_SCALL::HandleRequest+0x7f8
0c       110 00000037`f01ff2f8 00007ffd`23b66e6e     RPCRT4!LRPC_ADDRESS::HandleRequest+0x341
0d        a0 00000037`f01ff398 00007ffd`23b6b542     RPCRT4!LRPC_ADDRESS::ProcessIO+0x89e
0e       140 00000037`f01ff4d8 00007ffd`24ab0330     RPCRT4!LrpcIoComplete+0xc2
0f        a0 00000037`f01ff578 00007ffd`24ae2f26     ntdll!TppAlpcpExecuteCallback+0x260
10        80 00000037`f01ff5f8 00007ffd`23387034     ntdll!TppWorkerThread+0x456
11       300 00000037`f01ff8f8 00007ffd`24ae2651     KERNEL32!BaseThreadInitThunk+0x14
12        30 00000037`f01ff928 00000000`00000000     ntdll!RtlUserThreadStart+0x21

As a note, the total stack space used by the current call site is indicated in the row below (e.g. ntdll!NtOpenProcess only takes up 8 bytes). As stated previously, a complete technical walkthrough is covered in the blog linked at the start of this readme which will explain this (and concepts like Child-SP) in more detail. The values generated by windbg can then be used to correlate with what is being returned by CalculateFunctionStackSize() in the event of any problems.

Related Work

Thanks to the unicorn_pe project (https://github.com/hzqst/unicorn_pe) for example code in parsing UNWIND_CODEs.

More Repositories

1

drozer

The Leading Security Assessment Framework for Android.
Python
3,743
star
2

chainsaw

Rapidly Search and Hunt through Windows Forensic Artefacts
Rust
2,713
star
3

C3

Custom Command and Control (C3). A framework for rapid prototyping of custom C2 channels, while still providing integration with existing offensive toolkits.
C++
1,478
star
4

needle

The iOS Security Testing Framework
Python
1,322
star
5

doublepulsar-detection-script

A python2 script for sweeping a network to find windows systems compromised with the DOUBLEPULSAR implant.
Python
1,008
star
6

awspx

A graph-based tool for visualizing effective access and resource relationships in AWS environments.
Python
898
star
7

python-exe-unpacker

A helper script for unpacking and decompiling EXEs compiled from python code.
Python
751
star
8

leonidas

Automated Attack Simulation in the Cloud, complete with detection use cases.
Jupyter Notebook
446
star
9

physmem2profit

Physmem2profit can be used to create a minidump of a target hosts' LSASS process by analysing physical memory remotely
C#
364
star
10

android-keystore-audit

JavaScript
355
star
11

Jandroid

Python
300
star
12

bitlocker-spi-toolkit

Tools for decoding TPM SPI transaction and extracting the BitLocker key from them.
Python
271
star
13

captcha22

CAPTCHA22 is a toolset for building, and training, CAPTCHA cracking models using neural networks.
Python
243
star
14

doublepulsar-c2-traffic-decryptor

A python2 script for processing a PCAP file to decrypt C2 traffic sent to DOUBLEPULSAR implant
Python
224
star
15

snake

snake - a malware storage zoo
Shell
205
star
16

Jamf-Attack-Toolkit

Suite of tools to facilitate attacks against the Jamf macOS management platform.
Python
172
star
17

IAMSpy

Python
169
star
18

LinuxCatScale

Incident Response collection and processing scripts with automated reporting scripts
Shell
165
star
19

IceKube

Python
161
star
20

peas

PEAS is a Python 2 library and command line application for running commands on an ActiveSync server e.g. Microsoft Exchange.
Python
152
star
21

damn-vulnerable-llm-agent

Python
145
star
22

ppid-spoofing

Scripts for performing and detecting parent PID spoofing
PowerShell
127
star
23

detectree

Data visualization for blue teams
Svelte
122
star
24

GarbageMan

GarbageMan is a set of tools for analyzing .NET binaries through heap analysis.
C++
115
star
25

drozer-agent

The Android Agent for the Mercury Security Assessment Framework.
Java
111
star
26

doublepulsar-usermode-injector

A utility to use the usermode shellcode from the DOUBLEPULSAR payload to reflectively load an arbitrary DLL into another process, for use in testing detection techniques or other security research.
C
104
star
27

TickTock

C++
100
star
28

ModuleStomping

https://blog.f-secure.com/hiding-malicious-code-with-module-stomping/
C++
87
star
29

dotnet-gargoyle

A spiritual .NET equivalent to the Gargoyle memory scanning evasion technique
C#
50
star
30

cloud-wiki

A public cloud security knowledgebase - https://www.secwiki.cloud/
CSS
47
star
31

AMSIDetection

AMSI detection PoC
C#
29
star
32

tau-engine

A document tagging library
Rust
29
star
33

radare2-scripts

A collection of useful radare2 scripts!
Python
25
star
34

CVE-2021-25374_Samsung-Account-Access

This script can be used to gain access to a victim's Samsung Account if they have a specific version of Samsung Members installed on their Samsung Device, and if the victim's device is from the US or Korea region.
Python
23
star
35

ESFang

ESF modular ingestion tool for development and research.
Objective-C
18
star
36

macOSTriageCollectionScript

A triage data collection script for macOS
Shell
17
star
37

lazarus-sigma-rules

17
star
38

RemotePSpy

RemotePSpy provides live monitoring of remote PowerShell sessions, which is particularly useful for older (pre-5.0) versions of PowerShell which do not have comprehensive logging facilities built in.
Python
17
star
39

FLAIR

F-Secure Lightweight Acqusition for Incident Response (FLAIR)
Batchfile
16
star
40

mongo-rs

A higher-level wrapper on top of the official bson & mongodb crates.
Rust
15
star
41

volatility-plugins

Python
11
star
42

FixerUpper

A Burp extension to enable modification of FIX messages when relayed from MitM_Relay
Python
11
star
43

snake-core

snake-core - the real snake
Python
11
star
44

jdiesel

jdiesel fuels the drozer
Java
10
star
45

llm-vulnerable-recruitment-app

An example vulnerable app that integrates an LLM
Python
7
star
46

memory-carving-scripts

Scripts for extracting useful information from infected memory dumps
PowerShell
7
star
47

shadowhammer

Tools related to 'shadowhammer' attack, https://securelist.com/operation-shadowhammer/89992
Python
7
star
48

keywe-tooling

Tools that can be used to interact with the KeyWe Smart Lock device.
Python
6
star
49

datamate

Python
6
star
50

deject

Memory dump and Sample analysis tool
Python
6
star
51

usb-ninja-detection-poc

USB Ninja Detection PoC
C++
5
star
52

iocs

YARA
5
star
53

snake-scales

snake-scales - the default repository of snake scales
Python
4
star
54

dreamer

Easier cloud infrastructure with Terraform and Ansible
Python
4
star
55

snake-skin

snake-skin - the web ui for snake
Svelte
2
star
56

boops-boops-android-agent

Java
1
star
57

snake-tail

snake-tail - the command line ui for snake
Python
1
star
58

slide-decks

1
star