{"id":28416814,"url":"https://github.com/withsecurelabs/callstackspoofer","last_synced_at":"2025-06-25T02:31:46.420Z","repository":{"id":41297208,"uuid":"508287324","full_name":"WithSecureLabs/CallStackSpoofer","owner":"WithSecureLabs","description":"A PoC implementation for spoofing arbitrary call stacks when making sys calls (e.g. grabbing a handle via NtOpenProcess)","archived":false,"fork":false,"pushed_at":"2025-04-08T15:35:53.000Z","size":16,"stargazers_count":492,"open_issues_count":1,"forks_count":66,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-06-04T07:28:03.928Z","etag":null,"topics":["countercept","spoofer"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/WithSecureLabs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-06-28T12:20:48.000Z","updated_at":"2025-06-03T07:43:45.000Z","dependencies_parsed_at":"2022-08-10T01:53:45.262Z","dependency_job_id":null,"html_url":"https://github.com/WithSecureLabs/CallStackSpoofer","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/WithSecureLabs/CallStackSpoofer","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WithSecureLabs%2FCallStackSpoofer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WithSecureLabs%2FCallStackSpoofer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WithSecureLabs%2FCallStackSpoofer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WithSecureLabs%2FCallStackSpoofer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/WithSecureLabs","download_url":"https://codeload.github.com/WithSecureLabs/CallStackSpoofer/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WithSecureLabs%2FCallStackSpoofer/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":261790984,"owners_count":23210073,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["countercept","spoofer"],"created_at":"2025-06-04T00:43:53.952Z","updated_at":"2025-06-25T02:31:46.411Z","avatar_url":"https://github.com/WithSecureLabs.png","language":"C++","readme":"# CallStackSpoofer\n\nThis repository demonstrates a PoC implementation to spoof arbitrary call stacks when making system calls. For a full technical walkthrough please see\nthe accompanying blog post here: https://labs.withsecure.com/blog/spoofing-call-stacks-to-confuse-edrs.\n\nBy default it contains three sample call stacks to mimic, which can be selected via supplying either `--wmi`, `--rpc`, or `--svchost`, as demonstrated below:\n\n![readmeexample](https://user-images.githubusercontent.com/108275364/176182191-23cf273c-f154-411c-a1cf-428a9be323b9.PNG)\n\nThese call stacks were obtained by running SysMon with process access events enabled and searching for events where lsass was the target of the handle operation.\n\nNB As a word of caution, this PoC was tested on the following Windows build:\n - 10.0.19044.1706 (21h2)\n\nIt has not been tested on any other versions and offsets may obviously vary (and hence break) on different Windows builds.\n\nIf you are having trouble, one technique to debug errors is to find the process generating OpenProcess events in SysMon and attach to it in \nWinDbg. Once attached, run `bp ntdll!NtOpenProcess` and when bp is hit run `knf`.\n\nThis will display output similar to the below, which will contain full symbol resolution and the correct stack utilisation space (indicated by the 'Memory' column):\n```\n0:003\u003e knf\n #   Memory  Child-SP          RetAddr               Call Site\n00           00000037`f01fe300 00007ffd`221d2ea6     ntdll!NtOpenProcess+0x12\n01         8 00000037`f01fe308 00007ffd`1ffee959     KERNELBASE!ProcessIdToSessionId+0x96\n02        80 00000037`f01fe388 00007ffd`23b99633     lsm!RpcOpenEnum+0x129\n03       430 00000037`f01fe7b8 00007ffd`23b33711     RPCRT4!Invoke+0x73\n04        40 00000037`f01fe7f8 00007ffd`23bfd77b     RPCRT4!Ndr64UnmarshallHandle+0xe1\n05        70 00000037`f01fe868 00007ffd`23b7d2ac     RPCRT4!Ndr64StubWorker+0xb0b\n06       6c0 00000037`f01fef28 00007ffd`23b7a408     RPCRT4!NdrServerCallAll+0x3c\n07        50 00000037`f01fef78 00007ffd`23b5a266     RPCRT4!DispatchToStubInCNoAvrf+0x18\n08        50 00000037`f01fefc8 00007ffd`23b59bb8     RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x1a6\n09        e0 00000037`f01ff0a8 00007ffd`23b68a0f     RPCRT4!RPC_INTERFACE::DispatchToStub+0xf8\n0a        70 00000037`f01ff118 00007ffd`23b67e18     RPCRT4!LRPC_SCALL::DispatchRequest+0x31f\n0b        d0 00000037`f01ff1e8 00007ffd`23b67401     RPCRT4!LRPC_SCALL::HandleRequest+0x7f8\n0c       110 00000037`f01ff2f8 00007ffd`23b66e6e     RPCRT4!LRPC_ADDRESS::HandleRequest+0x341\n0d        a0 00000037`f01ff398 00007ffd`23b6b542     RPCRT4!LRPC_ADDRESS::ProcessIO+0x89e\n0e       140 00000037`f01ff4d8 00007ffd`24ab0330     RPCRT4!LrpcIoComplete+0xc2\n0f        a0 00000037`f01ff578 00007ffd`24ae2f26     ntdll!TppAlpcpExecuteCallback+0x260\n10        80 00000037`f01ff5f8 00007ffd`23387034     ntdll!TppWorkerThread+0x456\n11       300 00000037`f01ff8f8 00007ffd`24ae2651     KERNEL32!BaseThreadInitThunk+0x14\n12        30 00000037`f01ff928 00000000`00000000     ntdll!RtlUserThreadStart+0x21\n```\n As a note, the total stack space used by the current call site is indicated in the row below (e.g. ntdll!NtOpenProcess only takes up 8 bytes). As stated previously, a complete technical walkthrough is covered in the blog linked at the start of this readme which will explain this (and concepts like Child-SP) in more detail. The values generated by windbg can then be used to correlate with what is being returned by CalculateFunctionStackSize() in the event of any problems.\n\n# Related Work\nThanks to the unicorn_pe project (https://github.com/hzqst/unicorn_pe) for example code in parsing UNWIND_CODEs.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwithsecurelabs%2Fcallstackspoofer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwithsecurelabs%2Fcallstackspoofer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwithsecurelabs%2Fcallstackspoofer/lists"}