Giters

WKL-Sec / StackMask

A PoC of Stack encryption prior to custom sleeping by leveraging CPU cycles.

Home Page:https://whiteknightlabs.com

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

StackMask

This is a PoC of encrypting the stack prior to custom sleeping by leveraging CPU cycles. This is the code of the relevant blog post: Masking the Implant with Stack Encryption

Workflow

Retrieve the RSP address to identify where the stack begins. Then use VirtualQuery to retrieve the range of the page of the virtual address space of the calling process, in order to calculate the end of the stack. Before encrypting, suspend the thread to avoid any abnormal behavior.

Demo

stack_encryption_on_runtime

References

The sleep mechanizm is taken from: https://shubakki.github.io/posts/2022/12/detecting-and-evading-sandboxing-through-time-based-evasion/

Author

Kleiton Kurti (@kleiton0x00)

About

A PoC of Stack encryption prior to custom sleeping by leveraging CPU cycles.

https://whiteknightlabs.com

License:MIT License

Languages

Language:C 95.8%Language:Makefile 4.2%