This project aims to provide a universal call stack integrity verification method for detecting various advanced evasion techniques, including SleepMask, call stack spoofing, ROP chain construction, and encrypted stacks.

Unlike traditional signature scanning, this method is based on authenticity verification of the call stack, inherently offering universal applicability and robustness against variants. It effectively counters advanced evasion techniques such as obfuscated stacks.

Since the emergence of tools like DuckMemoryScan / BeaconEye that locate Beacons by traversing the stack, attackers have increasingly adopted various stack obfuscation techniques, such as: ALL İMG

• SleepMask (Sleep-Time Call Stack Forgery)
• ROP Constructing a Fake Call Chain
• VEH-based Stack Spoofing
• Randomization / Encrypted Stack
• Shadow stack bypass

Typical manifestations include:

🔹 Stack during normal operation (actual call chain)

Actual call stack -> Valid return address chain

🔹 Sleep + Mask: Forged Return Address Chain in the Stack

faked call stack -> ROP frames -> junk frames

Most stack-based scanning detection tools fail outright when confronted with forged stacks. Forged stacks return address chains.

✔ VirtualProtect Monitoring (infinityHook / VTI)

• Advantages: Fast, accurate
• Disadvantages: High resource consumption, requires logging all memory permission changes

✔ Feature Scanning

• Such as scanning unbacked stack → Sleep or SleepMask features
• Advantages: High accuracy in specific scenarios
• Disadvantages: Easily bypassed by modified code

✔ CET (Control-flow Enforcement Technology)

• Advantages: Hardware-level, accurate, fast
• Disadvantages: Unavailable without hardware support

🛠 General Approach: Stack Integrity Check

The core concept is based on a fundamental fact:

In the vast majority of real call stacks, return addresses can be logically linked through call instructions.
That is: The current return address should correspond to the preceding call statement.

By verifying whether this chain is natural, continuous, and logical, one can determine whether the stack has been forged.

Use StackWalk64 to obtain the 64-bit call stack.

• SleepMask often encrypts/obfuscates the stack
• Determine if it's a valid instruction region by reading the code within the stack

Inspection Method:

• Extract 8 instructions near each stack address
• Determine if they constitute valid, contiguous machine code
• If invalid, the stack may be counterfeit
  Code checks whether the region contains valid instructions

1. Match Call Instructions and Verify Return Addresses

Match the following instruction types:

• call imm
• call reg
• call mem

Then verify:

call_next == return_address ?

If not true, it indicates the call chain integrity is broken → highly suspicious.

Testing against common stack spoofing frameworks:

Theoretically, all stack manipulation-based mechanisms can be detected.

🚀 Future Expansion Potential

Stack + Instruction Matching can be further applied to:

• Unknown shellcode detection
• Shellcode auto-tagging
• ROP chain identification
• Dynamic malicious behavior detection
• Hidden execution flow prediction

More details may be disclosed in the future.

• Stack Integrity Validation
• SleepMask Detection
• ROP Call Chain Verification
• StackWalk64
• Call Pattern Matching
• Anti-Evasion
• Windows Internals