Executable Secrets: How DreamWalker Builds Trustworthy Call Stacks
Échec de l'ajout au panier.
Échec de l'ajout à la liste d'envies.
Échec de la suppression de la liste d’envies.
Échec du suivi du balado
Ne plus suivre le balado a échoué
Executable Secrets: How DreamWalker Builds Trustworthy Call Stacks
-
Narrateur(s):
-
Auteur(s):
À propos de cet audio
The MaxDcb Blog discusses DreamWalkers, a novel shellcode loader that creates clean and believable call stacks, even for reflectively loaded modules. The author was inspired by Donut and MemoryModule to build a position-independent shellcode loader, implementing features like command-line argument passing and a unique approach to .NET (CLR) payload support using an intermediate DLL. The core innovation of DreamWalkers lies in its ability to restore proper stack unwinding by manually registering unwind information via RtlAddFunctionTable, a technique that allows reflectively loaded code to blend in more effectively with legitimate processes, even when subjected to scrutiny by EDR and debugging tools. This method, combined with module stomping, significantly enhances the stealth of the shellcode.