This tool will allow you to spoof the return addresses of your functions as well as system functions.
A simple tool that will make it harder to find your code by stackwalker or other stack analyze.
This works both in the kernel-mode and in the user-mode.
Safe with runtime exceptions.
SPOOF_FUNC;//spoof current function
SPOOF_CALL(Beep)(500, 500);//spoof system call
SPOOF_FUNC;//spoof current function
SPOOF_CALL(NTSTATUS,NtClose)(handle);//spoof system call
BOOL (WINAPI * beep)(_In_ DWORD dwFreq,_In_ DWORD dwDuration)=&Beep;
SPOOF_CALL(beep)(500,500);
Call stack with spoofer disabled | Call stack with spoofer enabled |
---|---|
There are 2 modes of operation:
While the first case is simple, the second case is a bit more complicated. What should we know? The function template generates a function at compile time with certain parameters that we call it with in the code. Subsequent calls will use the already generated function. Therefore, we can get the address of the generated function like this:
PVOID self_addr = static_cast<PVOID>(&ShellCodeGenerator<RetType, Func*, Args&&...>);
With each subsequent same call, the address will match. Therefore, we can cache our matched shellcode and template function address pairs so that we only allocate the shellcode once and then use it. For backwards compatibility with the kernel, no standard containers are used.
It is important to understand that no function calls should be used in the shellcode, except for calls via direct addresses, because the calls use nearcall, and we will get an invalid relative call. We also encrypt our return address with xor , because it will still be stored on the stack.
It was written in a hurry, so there are flaws here.