伪造调用栈来迷惑EDR和杀软 | CTF导航
Tags
Common Information
Type Value
UUID c6815fec-070d-4b49-8264-0cd94b1e7479
Fingerprint a3bfa76ce6e397fc
Analysis status DONE
Considered CTI value -2
Text language
Published Nov. 3, 2024, midnight
Added to db Nov. 28, 2024, 5:13 p.m.
Last updated Dec. 24, 2024, 12:04 a.m.
Headline 伪造调用栈来迷惑EDR和杀软
Title 伪造调用栈来迷惑EDR和杀软 | CTF导航
Detected Hints/Tags/Attributes 5/0/32
Source URLs
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 426 CTF导航 https://www.ctfiot.com/feed 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 4709
github.com
Details Domain 4
doxygen.reactos.org
Details Domain 4
codemachine.com
Details Domain 5
www.notion.so
Details File 4
sysmondrv.sys
Details File 2
c:\users\wb\source\repos\vulcanraven\vulcanraven\vulcanraven.cpp
Details File 2
d:\a01\_work\43\s\src\vctools\crt\vcstartup\src\startup\exe_main.cpp
Details File 38
c:\windows\system32\ntdll.dll
Details File 22
c:\windows\system32\kernelbase.dll
Details File 2
c:\windows\system32\lsm.dll
Details File 8
c:\windows\system32\rpcrt4.dll
Details File 25
c:\windows\system32\kernel32.dll
Details File 2
vulcanraven.exe
Details File 1
一个反射式dll被注入到cmd.exe
Details File 1
虽然使用cmd.exe
Details File 2
except.cpp
Details File 2
unwind_8c.html
Details File 2
x64_deep_dive.html
Details Github username 6
mgeeky
Details Github username 4
cracked5pider
Details Github username 3
hzqst
Details Github username 52
microsoft
Details Github username 7
countercept
Details md5 3
fe3b63d80890fafeca982f76c8a3efdf
Details Url 2
https://github.com/mgeeky/threadstackspoofer
Details Url 3
https://github.com/cracked5pider/ekko
Details Url 2
https://github.com/hzqst/unicorn_pe/blob/master/unicorn_pe/except.cpp#l773
Details Url 2
https://doxygen.reactos.org/d8/d2f/unwind_8c.html#a03c91b6c437066272ebc2c2fff051a4c
Details Url 2
https://github.com/microsoft/krabsetw/pull/191
Details Url 2
https://codemachine.com/articles/x64_deep_dive.html
Details Url 1
https://www.notion.so/fe3b63d80890fafeca982f76c8a3efdf?pvs=21
Details Url 2
https://github.com/countercept/callstackspoofer