Universal Call Stack Integrity Detection Solution (SleepMask / ROP / VEH / Stack Spoofing Detection)
This project aims to provide a universal call stack integrity verification method for detecting various advanced evasion techniques, including SleepMask, call stack spoofing, ROP chain construction, and encrypted stacks.
Unlike traditional signature scanning, this method is based on authenticity verification of the call stack, inherently offering universal applicability and robustness against variants. It effectively counters advanced evasion techniques such as obfuscated stacks.
Since the emergence of tools like DuckMemoryScan / BeaconEye that locate Beacons by traversing the stack, attackers have increasingly adopted various stack obfuscation techniques, such as:
ALL Δ°MG
- SleepMask (Sleep-Time Call Stack Forgery)
- ROP Constructing a Fake Call Chain
- VEH-based Stack Spoofing
- Randomization / Encrypted Stack
- Shadow stack bypass
Typical manifestations include:
πΉ Stack during normal operation (actual call chain)
Actual call stack -> Valid return address chain
πΉ Sleep + Mask: Forged Return Address Chain in the Stack
faked call stack -> ROP frames -> junk frames
Most stack-based scanning detection tools fail outright when confronted with forged stacks. Forged stacks return address chains.
β VirtualProtect Monitoring (infinityHook / VTI)
- Advantages: Fast, accurate
- Disadvantages: High resource consumption, requires logging all memory permission changes
β Feature Scanning
- Such as scanning
unbacked stack β Sleepor SleepMask features - Advantages: High accuracy in specific scenarios
- Disadvantages: Easily bypassed by modified code
β CET (Control-flow Enforcement Technology)
- Advantages: Hardware-level, accurate, fast
- Disadvantages: Unavailable without hardware support
π General Approach: Stack Integrity Check
The core concept is based on a fundamental fact:
In the vast majority of real call stacks, return addresses can be logically linked through
callinstructions.
That is: The current return address should correspond to the preceding call statement.
By verifying whether this chain is natural, continuous, and logical, one can determine whether the stack has been forged.
Use StackWalk64 to obtain the 64-bit call stack.
- SleepMask often encrypts/obfuscates the stack
- Determine if it's a valid instruction region by reading the code within the stack
Inspection Method:
- Extract 8 instructions near each stack address
- Determine if they constitute valid, contiguous machine code
- If invalid, the stack may be counterfeit
Code checks whether the region contains valid instructions
- Match Call Instructions and Verify Return Addresses
Match the following instruction types:
call immcall regcall mem
Then verify:
call_next == return_address ?
If not true, it indicates the call chain integrity is broken β highly suspicious.
Testing against common stack spoofing frameworks:
| Technique | Detection Result |
|---|---|
| Stack encryption / junk frames | β |
| Ekko stack spoofer | β |
| SlientMoonWalker | β |
| Cronos | β |
| Various SleepMask variants | β |
Theoretically, all stack manipulation-based mechanisms can be detected.
π Future Expansion Potential
Stack + Instruction Matching can be further applied to:
- Unknown shellcode detection
- Shellcode auto-tagging
- ROP chain identification
- Dynamic malicious behavior detection
- Hidden execution flow prediction
More details may be disclosed in the future.
- Stack Integrity Validation
- SleepMask Detection
- ROP Call Chain Verification
- StackWalk64
- Call Pattern Matching
- Anti-Evasion
- Windows Internals