Git Product home page Git Product logo

unwinder's Introduction

Description

This Twitter thread inspired the creation of this tool.

Unwinder is a PoC of how to parse PE's UNWIND_INFO structs in order to achieve "proper" thread stack spoofing from the point of view of the x64 calling convention.

For more detailed information about how thread stack is walked in x64 check the official x64 exception handling documentation.

The spoofing process overview is as follows:

  • We obtain the stack's memory address where the first return address is located. This return address is replaced by the memory address of a randomly selected Windows API function (let's call it FunctionA).
  • We walk FunctionA's Unwind codes array in order to dynamically determine where the next return address is expected in the stack.
  • The word contained in the stack address obtained in the previous step is replaced by the memory address of another randomly selected Windows API function.
  • The steps 2 and 3 are repeated a random number of times, obtaining a different thread stack each iteration of the PoC. All of this thread stacks are correct from the point of view of the x64 unwinding process.
  • Once the spoof is completed, the tool calls Sleeps to allow the inpection of the thread stack (I use Process Hacker for this step).

This process repeats indefinitely.

As it can be seen in the following images, we are able to spoof the thread stack in multiple ways. Since the number of spoofing functions and the functions themselves are randomly selected from a pool of functions each iteration will create a different thread stack.

Thread stack spoofed. Thread stack spoofed. Thread stack spoofed.

Additional spoofing functions can be added to the pool by enlarging the FUNCTIONS array located in src::main.rs.

Disclaimer

From the previous images it can be concluded that this tool is not trying to create logical stack calls for multiple reasons. For example, some of the thread stacks shown before don't start with ntdll.dll!RtlUserThreadStart and I've never seen kernelbase!GetCalendarInfoEx calling kernelbase.dll!DsFreeNameResultW even thought this tools allows it. The main purpose of this tool is to show how unwind codes walking allows us to effectively and malleably spoof the stack.

To use this technique in real environments and tools, it is required to analyze valid stack secuences in order to mimic real behaviours.

On the other hand, im just spoofing some frames of the stack. If you want to fully spoof the stack a little bit of extra work have to be done, even thought it should be relatively easy to implement. Also, im not trying to restore the original values of the stack after each iteration.

Finally, not all the unwind codes have been implemented. Although I encourage anyone to add extra spoofing functions to the FUNCTIONS array, take into account that you may end up parsing unwind codes not covered by this tool, which may lead to errors in the spoofing process.

Compilation

We need Rust Nightly to compile this project. Once it has been installed, simply compile the code and run the tool:

C:\Users\User\Desktop\unwinder> cargo build
C:\Users\User\Desktop\unwinder\target\debug> unwinder.exe

Credits

unwinder's People

Contributors

kudaes avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.