-
Thread Hijacking Iceberg: Deep Dive into Phantom Call & RtlRemoteCall
Phantom Call What is phantom call? It is a combination of thread hijacking and calling interesting APIs on a newly crafted stack in the context of hijacked thread in a more stable way. A quick summary of the technique X64 stack alignment Our target Straight to business, lets take a look at our target. A…
-
Breakpoints, Heavens Gate and Stack
Recap In previous post we implemented return address spoofing with the help of H/W breakpoints by manipulating ESP, as our program resumes following the execution of the exception handler, ntdll function call stub is executed. In this post we will be taking a more covert route of executing an nt function via Heaven gate. Windows…
-
The Stack, The Windows & The Adventures
Introduction This post is a \”how-to\” for writing Win32 code for performing a stackwalk on both x86 and x64 architectures and along the way we will learn the theory behind some of the concepts associated with the stack. In fact this is a quick note created for myself when I started working on designing a…
-
The Stack Series: Return Address Spoofing on x64
introduction The stack of a process has the potential to give away the true nature of the running program in the memory. Hence it is one of the monitored entities by the security solutions. When a program executes any interesting functions like InternetConnectA, security systems may initiate a stack check to find out if there…