Spoofing Call Stacks To Confuse EDRs
Common Information
Type Value
UUID b8849b0e-8263-49f2-ba79-e08cab96ba4c
Fingerprint 5ba65011ce0af254
Analysis status DONE
Considered CTI value 1
Text language
Published June 30, 2022, midnight
Added to db Dec. 19, 2024, 8:35 p.m.
Last updated Dec. 24, 2024, 12:05 a.m.
Headline Spoofing Call Stacks To Confuse EDRs
Title Spoofing Call Stacks To Confuse EDRs
Detected Hints/Tags/Attributes 55/1/36
Attributes
Details Type #Events CTI Value
Details Domain 4709
github.com
Details Domain 4
doxygen.reactos.org
Details Domain 4
codemachine.com
Details Domain 319
docs.microsoft.com
Details Domain 259
gist.github.com
Details File 4
sysmondrv.sys
Details File 2
except.cpp
Details File 2
unwind_8c.html
Details File 2
x64_deep_dive.html
Details File 2
c:\users\wb\source\repos\vulcanraven\vulcanraven\vulcanraven.cpp
Details File 2
d:\a01\_work\43\s\src\vctools\crt\vcstartup\src\startup\exe_main.cpp
Details File 38
c:\windows\system32\ntdll.dll
Details File 22
c:\windows\system32\kernelbase.dll
Details File 2
c:\windows\system32\lsm.dll
Details File 8
c:\windows\system32\rpcrt4.dll
Details File 25
c:\windows\system32\kernel32.dll
Details File 2
vulcanraven.exe
Details File 2335
cmd.exe
Details Github username 6
mgeeky
Details Github username 4
cracked5pider
Details Github username 3
hzqst
Details Github username 52
microsoft
Details Github username 7
ccob
Details Github username 7
countercept
Details Github username 3
stephenfewer
Details md5 3
fe3b63d80890fafeca982f76c8a3efdf
Details Url 2
https://github.com/mgeeky/threadstackspoofer
Details Url 3
https://github.com/cracked5pider/ekko
Details Url 2
https://github.com/hzqst/unicorn_pe/blob/master/unicorn_pe/except.cpp#l773
Details Url 2
https://doxygen.reactos.org/d8/d2f/unwind_8c.html#a03c91b6c437066272ebc2c2fff051a4c
Details Url 2
https://github.com/microsoft/krabsetw/pull/191
Details Url 2
https://codemachine.com/articles/x64_deep_dive.html
Details Url 1
https://docs.microsoft.com/en-us/cpp/build/exception-handling-x64?view=msvc
Details Url 1
https://gist.github.com/ccob/fe3b63d80890fafeca982f76c8a3efdf.
Details Url 2
https://github.com/countercept/callstackspoofer
Details Url 1
https://github.com/stephenfewer/reflectivedllinjection