-
Gotta Catch ‘Em all! Catching Your Favorite C2 In Memory Using Stack & Thread Telemetry.
TLDR We focus on two issues seen in the stack (in the context of stack spoofing) A Custom Stack Tracer Analyzing a Commercial C2 Framework loved by Adversaries In this section we are going to discuss about a commercial C2 framework which is heavily abused by threat actors. This tool often gets cracked and sold…
-
Breakpoints, Heavens Gate and Stack
Recap In previous post we implemented return address spoofing with the help of H/W breakpoints by manipulating ESP, as our program resumes following the execution of the exception handler, ntdll function call stub is executed. In this post we will be taking a more covert route of executing an nt function via Heaven gate. Windows…
-
Stack Manipulation via Hardware breakpoint & Direct Syscall Execution
x86 Stack Primer In this section we will quickly go over x86 stack working. The scenario is main() calls function A(), then A() calls B(). Lets see how this affects the stack. The above image is very generic in nature and calling convention is not taken into consideration. Process Overview Spoofing return address Below image…
-
The Stack Series: The X64 Stack
Overview of x64 stack static RSP caller/callee saved registers According to x64 convention Non Volatile registers are expected to be saved and restored by the function that uses them. On the other hand, as the name suggests the Volatile register states are expected to change through out the execution of any function. Volatile Registers RAX…
-
The Stack Series: Return Address Spoofing on x64
introduction The stack of a process has the potential to give away the true nature of the running program in the memory. Hence it is one of the monitored entities by the security solutions. When a program executes any interesting functions like InternetConnectA, security systems may initiate a stack check to find out if there…