- Stack spoofing is a really cool malware technique that isn’t new, but has been receiving some more attention recently.
- The method i used simply involves pushing
ret
gadget from loaded DLL and return address to our function (Suppressor).
-
EDRs utilize the call stack of a function call to determine whether a function is malicious or not, by verifying that the caller’s return address resolves to a loaded module.
-
Indirect syscall without stack spoofing technique:
- Indirect syscall with stack spoofing technique: