{"id":19000734,"url":"https://github.com/fortra/hw-call-stack","last_synced_at":"2025-05-07T10:37:00.064Z","repository":{"id":116724013,"uuid":"609222168","full_name":"fortra/hw-call-stack","owner":"fortra","description":"Use hardware breakpoints to spoof the call stack for both syscalls and API calls","archived":false,"fork":false,"pushed_at":"2024-06-06T14:28:44.000Z","size":284,"stargazers_count":187,"open_issues_count":0,"forks_count":29,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-02-18T23:08:07.620Z","etag":null,"topics":["edr-bypass","stack-spoofing","syscalls"],"latest_commit_sha":null,"homepage":"https://www.coresecurity.com/blog/hardware-call-stack","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fortra.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-03-03T16:23:30.000Z","updated_at":"2025-02-07T16:50:16.000Z","dependencies_parsed_at":"2024-11-15T23:05:38.309Z","dependency_job_id":"cdd9e51c-f3d7-48ca-9ac4-2c4cebd04abf","html_url":"https://github.com/fortra/hw-call-stack","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fortra%2Fhw-call-stack","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fortra%2Fhw-call-stack/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fortra%2Fhw-call-stack/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fortra%2Fhw-call-stack/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fortra","download_url":"https://codeload.github.com/fortra/hw-call-stack/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":240766621,"owners_count":19854119,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["edr-bypass","stack-spoofing","syscalls"],"created_at":"2024-11-08T18:08:14.932Z","updated_at":"2025-02-26T00:10:13.309Z","avatar_url":"https://github.com/fortra.png","language":"C","readme":"# HW Call Stack\n\nYet another \"Call Stack Spoofing\" implementation. Works for syscalls and APIs, supports x64, x86 and WoW64.  \n\n![screenshot](resources/demo.png)\n\n## Compile\nUse the MinGW compiler:\n```bash\nmake\n```\n\nThis should create two binaries:\n```\n$ ls dist  \nhw_call_stack.x64.exe  hw_call_stack.x86.exe\n```\n\n## Example output\n```\nPS C:\\Windows\\Temp\u003e .\\hw_call_stack.x64.exe\nusage: C:\\Windows\\Temp\\hw_call_stack.x64.exe \u003cpid\u003e \u003cdll\u003e\n\nPS Z:\\\u003e .\\hw_call_stack.x64.exe 700 kernel32.dll\n-- HW Call Stack --\n\ncalling NtOpenProcess...\nDEBUG: source/spoof_callstack.c:850:create_fake_callstack(): obtained the stack ranges: 0x000000287d3fd000 - 0x000000287d400000\nDEBUG: source/spoof_callstack.c:863:create_fake_callstack(): using the NtOpenProcess call stack\nDEBUG: source/spoof_callstack.c:892:create_fake_callstack(): storing area is at: 0x0000020121124940\nDEBUG: source/spoof_callstack.c:920:create_fake_callstack(): size of the fake stack: 0x158\nDEBUG: source/spoof_callstack.c:924:create_fake_callstack(): fake stack on the heap: 0x00000201211315a0 - 0x00000201211316f8\nDEBUG: source/spoof_callstack.c:933:create_fake_callstack(): backup of the stack real stack: 0x0000020121131700 - 0x0000020121134700\nDEBUG: source/spoof_callstack.c:943:create_fake_callstack(): the spoofed call stack will be stored at: 0x000000287d3ffea8 - 0x000000287d400000\nDEBUG: source/spoof_callstack.c:1010:create_fake_callstack(): fake stack layout:\nDEBUG: source/spoof_callstack.c:1011:create_fake_callstack():     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\nDEBUG: source/spoof_callstack.c:1021:create_fake_callstack():     ret address: KernelBase!ProcessIdToSessionId+0x96 \u003c-- stack pointer: 0x000000287d3ffea8\nDEBUG: source/spoof_callstack.c:1039:create_fake_callstack():     -------------------------------\nDEBUG: source/spoof_callstack.c:1040:create_fake_callstack():         \u003c0x78 bytes of space\u003e\nDEBUG: source/spoof_callstack.c:1032:create_fake_callstack():     ret address: Kernel32!BaseThreadInitThunk+0x14\nDEBUG: source/spoof_callstack.c:1039:create_fake_callstack():     -------------------------------\nDEBUG: source/spoof_callstack.c:1040:create_fake_callstack():         \u003c0x28 bytes of space\u003e\nDEBUG: source/spoof_callstack.c:1032:create_fake_callstack():     ret address: ntdll!RtlUserThreadStart+0x21\nDEBUG: source/spoof_callstack.c:1039:create_fake_callstack():     -------------------------------\nDEBUG: source/spoof_callstack.c:1040:create_fake_callstack():         \u003c0x78 bytes of space\u003e\nDEBUG: source/spoof_callstack.c:1044:create_fake_callstack():     ret address: 0x0000000000000000\nDEBUG: source/spoof_callstack.c:1045:create_fake_callstack():     -------------------------------\nDEBUG: source/spoof_callstack.c:1046:create_fake_callstack():     canary: 0xdeadbeefcafebabe\nDEBUG: source/spoof_callstack.c:1047:create_fake_callstack():     storing ptr: 0x0000020121124940\nDEBUG: source/spoof_callstack.c:1048:create_fake_callstack():         \u003c0x10 bytes of space\u003e       \u003c-- stack bottom: 0x000000287d3fd000\nDEBUG: source/spoof_callstack.c:1049:create_fake_callstack():     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\nDEBUG: source/syscalls.c:630:trigger_syscall(): created the fake callstack\nDEBUG: source/syscalls.c:644:trigger_syscall(): hardware breakpoint set at 0x00007ffa42db9f06\nDEBUG: source/syscalls.c:674:trigger_syscall(): triggering the syscall...\nDEBUG: source/syscalls.c:676:trigger_syscall(): done.\nstatus: 0x0\n\ncalling LoadLibraryA...\nDEBUG: source/spoof_callstack.c:850:create_fake_callstack(): obtained the stack ranges: 0x000000287d3fd000 - 0x000000287d400000\nDEBUG: source/spoof_callstack.c:867:create_fake_callstack(): using the LoadLibraryA call stack\nDEBUG: source/spoof_callstack.c:892:create_fake_callstack(): storing area is at: 0x00000201211376f0\nDEBUG: source/spoof_callstack.c:920:create_fake_callstack(): size of the fake stack: 0x1f8\nDEBUG: source/spoof_callstack.c:924:create_fake_callstack(): fake stack on the heap: 0x00000201211317e0 - 0x00000201211319d8\nDEBUG: source/spoof_callstack.c:933:create_fake_callstack(): backup of the stack real stack: 0x0000020121138a50 - 0x000002012113ba50\nDEBUG: source/spoof_callstack.c:943:create_fake_callstack(): the spoofed call stack will be stored at: 0x000000287d3ffe08 - 0x000000287d400000\nDEBUG: source/spoof_callstack.c:1010:create_fake_callstack(): fake stack layout:\nDEBUG: source/spoof_callstack.c:1011:create_fake_callstack():     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\nDEBUG: source/spoof_callstack.c:1025:create_fake_callstack():     ret address: advapi32+0x4a25e \u003c-- stack pointer: 0x000000287d3ffe08\nDEBUG: source/spoof_callstack.c:1039:create_fake_callstack():     -------------------------------\nDEBUG: source/spoof_callstack.c:1040:create_fake_callstack():         \u003c0x118 bytes of space\u003e\nDEBUG: source/spoof_callstack.c:1032:create_fake_callstack():     ret address: Kernel32!BaseThreadInitThunk+0x14\nDEBUG: source/spoof_callstack.c:1039:create_fake_callstack():     -------------------------------\nDEBUG: source/spoof_callstack.c:1040:create_fake_callstack():         \u003c0x28 bytes of space\u003e\nDEBUG: source/spoof_callstack.c:1032:create_fake_callstack():     ret address: ntdll!RtlUserThreadStart+0x21\nDEBUG: source/spoof_callstack.c:1039:create_fake_callstack():     -------------------------------\nDEBUG: source/spoof_callstack.c:1040:create_fake_callstack():         \u003c0x78 bytes of space\u003e\nDEBUG: source/spoof_callstack.c:1044:create_fake_callstack():     ret address: 0x0000000000000000\nDEBUG: source/spoof_callstack.c:1045:create_fake_callstack():     -------------------------------\nDEBUG: source/spoof_callstack.c:1046:create_fake_callstack():     canary: 0xdeadbeefcafebabe\nDEBUG: source/spoof_callstack.c:1047:create_fake_callstack():     storing ptr: 0x00000201211376f0\nDEBUG: source/spoof_callstack.c:1048:create_fake_callstack():         \u003c0x10 bytes of space\u003e       \u003c-- stack bottom: 0x000000287d3fd000\nDEBUG: source/spoof_callstack.c:1049:create_fake_callstack():     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\nDEBUG: source/syscalls.c:733:trigger_api(): created the fake callstack\nDEBUG: source/syscalls.c:747:trigger_api(): hardware breakpoint set at 0x00007ffa4331a25e\nDEBUG: source/syscalls.c:775:trigger_api(): triggering the API...\nDEBUG: source/syscalls.c:777:trigger_api(): done.\nKernel32.dll has been loaded at 0x00007ffa435e0000\n\nBye!\n```\n\n## Caveats\nGiven that the stack gets overwritten during the call, all variables passed by reference need to be stored on the heap.\n\n## Credits\nThanks to [William Burgess](https://twitter.com/joehowwolf) for [Spoofing Call Stacks To Confuse EDRs](https://labs.withsecure.com/blog/spoofing-call-stacks-to-confuse-edrs).\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffortra%2Fhw-call-stack","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffortra%2Fhw-call-stack","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffortra%2Fhw-call-stack/lists"}