Call Stack Spoofing

Introduction

What is a call stack?

When a thread running function "A" calls function "B", the CPU automatically saves the current instruction address to the Stack. This is known as the return address. Return addresses can be retrieved through a process called stack walking.

References

LogoPeeling back the curtain with call stacks — Elastic Security Labs
SilentMoonwalk: Implementing a dynamic Call Stack SpooferCyberSecurity Blog
LogoSpoofing Call Stacks To Confuse EDRs
LogoAbusing Slack for Offensive Operations: Part 2Posts By SpecterOps Team Members
Great talk by this legend
PreviousPPID SpoofingNextNTDLL Unhooking

Last updated