StackMoonwalk: A Novel approach to stack spoofing on Windows x64

Presented at DEF CON 31 (2023), Aug. 13, 2023, 10 a.m. (45 minutes).

The rapid advancement of cyber defense products has led to an increase in sophisticated memory evasion techniques employed by Red Teaming and Malware Development communities. These techniques aim to bypass the detection of malicious code by concealing its presence in a target process's memory. Among these methods, "Thread Stack Spoofing" is a technique that hides malicious calls in the stack by replacing arbitrary stack frames with fake ones. In this talk, we present two novel approaches, "Full Moon" and "Half Moon," for tampering with call stacks in a manner that is both opaque and difficult to detect. These techniques manipulate the call stack to produce unwinding or logically valid stacks, thwarting conventional detection methods. We also introduce a detection algorithm, Eclipse, designed to identify instances of these tampering techniques. This algorithm extends the functionality of RtlVirtualUnwind to perform strict checks on specific instructions and call sequences, enabling the detection of tampered call stacks. We evaluate the efficacy of Eclipse against both Full Moon and Half Moon techniques and discuss its performance and limitations. Additionally, we explore the possibility of combining these techniques to create an even more robust method for call stack tampering that is resistant to detection. Our study contributes to the growing body of knowledge in the field of call stack tampering and detection and provides valuable insights for researchers and security professionals aiming to mitigate such threats. REFERENCES: namazso. 2019. x64 return address spoofing (source + explanation). UnKnoWnCheaTs - Multiplayer Game Hacking and Cheats. Retrieved April 4, 2023 from https://www.unknowncheats.me/forum/anti-cheat-bypass/268039-x64-return-address-spoofing-source-explanation.html Mariusz Banach. 2023. Thread Stack Spoofing / Call Stack Spoofing PoC. Retrieved April 3, 2023 from https://github.com/mgeeky/ThreadStackSpoofer William Burgess. Behind the Mask: Spoofing Call Stacks Dynamically with Timers | Cobalt Strike Blog. Fortra. Retrieved April 3, 2023 from https://www.cobaltstrike.com/blog/behind-the-mask-spoofing-call-stacks-dynamically-with-timers/ William Burgess. Spoofing Call Stacks To Confuse EDRs. Retrieved April 4, 2023 from https://labs.withsecure.com/publications/spoofing-call-stacks-to-confuse-edrs Microsoft Corp. 2021. x64 prolog and epilog. Retrieved April 3, 2023 from https://learn.microsoft.com/en-us/cpp/build/prolog-and-epilog Microsoft Corp. 2022. x64 exception handling. Retrieved April 3, 2023 from https://learn.microsoft.com/en-us/cpp/build/exception-handling-x64 CodeMachine. 2021. x64 Deep Dive. Retrieved April 3, 2023 from https://www.codemachine.com/article_x64deepdive.html

Presenters:

  • Alessandro "klezVirus" Magnosi - Principal Security Consultant at BSI
    Alessandro Magnosi is a Principal cyber security consultant with more than 10 years of experience in the IT field. Currently, he's part of the Security Testing Team at BSI, which is the UK national standards body, and a Global certification, training and cybersecurity firm. On top of his normal work, Alessandro works as an independent researcher for Synack RT, and an OSS developer for Porchetta Industries, where he maintains offensive tools.
  • Athanasios "trickster0" Tserpelis - Red Teamer and Malware Developer
    Thanos is a senior security consultant in Nettitude, focused mainly in Red Teaming and specializes in Offensive tool development such as elaborate malwares, EDR evasion techniques and tooling that makes a red teamer's life easier. Additionally, he is really into low level stuff, such as exploit development in Windows OS.
  • Arash "waldo-irc" Parsa - Cybersecurity Professional
    Arash Parsa is a highly skilled and passionate cybersecurity professional with extensive experience in threat hunting, red teaming, and research. As a dedicated member of the InfoSec community, Arash has become a trusted name in advancing the field and helping to protect digital assets from ever-evolving threats. Above all, Arash takes great pride in being an active community member and mentor to aspiring cybersecurity professionals. By sharing their knowledge and experience, he is helping to shape the next generation of InfoSec experts and ensure the continued growth and success of the industry.

Links:

Similar Presentations: