x64 stack spoofing via dynamic unwind metadata registration. credits: https://github.com/klezVirus/SilentMoonwalk
hijacks x64 unwinding logic by registering synthetic RUNTIME_FUNCTION entries in non-PE memory regions.
standard spoofing implementation assumes RtlVirtualUnwind visibility across the system. testing reveals that external analyzers (e.g., Process Hacker) ignore process-registered function tables (RtlAddFunctionTable).
learning: for heap-allocated code, external walkers fallback to treating every frame as a leaf function.
- synchronization: requires an 8-byte entry
RSPpivot (pointing directly at the return address) to satisfy external leaf-walk logic. internal walkers continue to follow the registered metadata, creating a dual-state trace visibility.
chains synthetic frames with legitimate module decoys (KernelBase.dll) to hide the original EXE execution context.
learning: static interleaving often results in "frame skipping" where the unwinder jumps over synthetic addresses.
- alignment: implementation uses real
FrameSizemetrics from decoyUNWIND_INFOto surgically align the stack pointer. every transition accounts for theFrameSize + 8(implicitPop RIP) RSP advancement required to maintain trace continuity.
prevents stack corruption or access violations during active analysis by avoiding terminal ret primitives.
- stabilization: utilizes
pause; jmploops trapped within registered metadata coverage. the thread remains locked in a stable state, allowing the analyzer to walk the forged history without inducing a crash.
make build
make run