This is a C++ code designed to easily perform stack spoofing with a fake stack frame after the gadget. This project is based on LoudSunRun
, but instead of using the jmp RBX
gadget, it utilizes jmp RDI
.
Nowadays, some EDRs have stopped hooking Nt functions in ntdll.dll due to the ease of evading such hooks, as demonstrated by solutions like Elastic XDR.
https://www.elastic.co/security-labs/doubling-down-etw-callstacks
You need to use the spoof class and specify both the fake frame and the module name for the gadget in the constructor.
For the gadget, you specify the module name, and the code searches for all jmp RDI
gadgets within the .text section. Once all gadgets are found, one is randomly selected.
spoof test({
{ "kernel32.dll", "BaseThreadInitThunk", 0x14 }, // fake second frame
{ "ntdll.dll", "RtlUserThreadStart", 0x21 } // fake third frame
},
"ntdll.dll"); // module name for "jmp RDI" gadget
test.call("Kernel32.dll", "WaitForSingleObject", { (HANDLE)-1, (void*)0x1000 });
return EXIT_SUCCESS;
- Stack frame view
- Gadget frame view
Check ed on Windows11 24h2
- Kernel32.dll : 0
- Kerlebase.dll : 2
- User32.dll : 1
- Expand the fake stackframe limit
- Add polymorphism