Return Address Spoofing

Created the Sunday 29 January 2023. Updated 8 months ago.

Return Address Spoofing is a technique used in x64 architecture to bypass the limitations of the x64 fastcall mechanism. The traditional method of spoofing return addresses in x86 (e.g. using a ret in a game module as a trampoline) is not feasible in x64 due to caller cleanup and red zone.

To overcome this, the code creates a temporary storage for the shellcode on the stack, where the address of a gadget and the called function are stored. An extra 8 bytes are reserved for the shellcode. The address of the storage is then passed to the shellcode, which reads the addresses, stores the original return address, the original content of the nonvolatile register (rbx), and the shellcode's return address.

The shellcode then jumps into the called function, which runs and returns to the gadget (jmp [rbx]). The remaining shellcode restores rbx, aligns the stack, and "returns" to the original return address using a jump instruction. This technique enables the shellcode to hide its presence from endpoint security software and memory scanners, while maintaining its malicious functionality.

Technique Identifier

U0518

Code Snippets

Description

This code implements a templated function called spoof_call that takes three arguments: trampoline, fn, and args.... The function creates a struct shell_params that contains two void pointers: trampoline and function. The function then calls the do_call function of the struct argument_remapper, which will forward the arguments to a helper function shellcode_stub_helper that calls fn using the arguments. The number of arguments is limited to 4 or fewer or at least 5, depending on the size of Args. The spoof_call function is used to call fn via the trampoline pointer. The purpose of this code is not clear, but it appears to be related to calling functions in a specific manner.

Source: https://www.unknowncheats.me/forum/anti-cheat-bypass/268039-x64-return-address-spoofing-source-explanation.html

#include <type_traits>
 
namespace detail
{
	extern "C" void* _spoofer_stub();
 
	template <typename Ret, typename... Args>
	static inline auto shellcode_stub_helper(
		const void* shell,
		Args... args
	) -> Ret
	{
		auto fn = (Ret(*)(Args...))(shell);
		return fn(args...);
	}
 
	template <std::size_t Argc, typename>
	struct argument_remapper
	{
		// At least 5 params
		template<
			typename Ret,
			typename First,
			typename Second,
			typename Third,
			typename Fourth,
			typename... Pack
		>
		static auto do_call(
			const void* shell,
			void* shell_param,
			First first,
			Second second,
			Third third,
			Fourth fourth,
			Pack... pack
		) -> Ret
		{
			return shellcode_stub_helper<
				Ret,
				First,
				Second,
				Third,
				Fourth,
				void*,
				void*,
				Pack...
			>(
				shell,
				first,
				second,
				third,
				fourth,
				shell_param,
				nullptr,
				pack...
			);
		}
	};
 
	template <std::size_t Argc>
	struct argument_remapper<Argc, std::enable_if_t<Argc <= 4>>
	{
		// 4 or less params
		template<
			typename Ret,
			typename First = void*,
			typename Second = void*,
			typename Third = void*,
			typename Fourth = void*
		>
		static auto do_call(
			const void* shell,
			void* shell_param,
			First first = First{},
			Second second = Second{},
			Third third = Third{},
			Fourth fourth = Fourth{}
		) -> Ret
		{
			return shellcode_stub_helper<
				Ret,
				First,
				Second,
				Third,
				Fourth,
				void*,
				void*
			>(
				shell,
				first,
				second,
				third,
				fourth,
				shell_param,
				nullptr
			);
		}
	};
}
 
 
template <typename Ret, typename... Args>
static inline auto spoof_call(
	const void* trampoline,
	Ret(*fn)(Args...),
	Args... args
) -> Ret
{
	struct shell_params
	{
		const void* trampoline;
		void* function;
		void* rbx;
	};
 
	shell_params p{ trampoline, reinterpret_cast<void*>(fn) };
	using mapper = detail::argument_remapper<sizeof...(Args), void>;
	return mapper::template do_call<Ret, Args...>((const void*)&detail::_spoofer_stub, &p, args...);
}

Description

Source: https://www.unknowncheats.me/forum/anti-cheat-bypass/268039-x64-return-address-spoofing-source-explanation.html

COMMENT ~
    PUBLIC _spoofer_stub
     
    .code
     
    _spoofer_stub PROC
        pop r11 ~ poping without setting up stack frame, r11 is the return address (the one in our code)
        add rsp, 8 ~ skipping callee reserved space
        mov rax, [rsp + 24] ~ dereference shell_param
        
        mov r10, [rax] ~ load shell_param.trampoline
        mov [rsp], r10 ~ store address of trampoline as return address
        
        mov r10, [rax + 8] ~ load shell_param.function
        mov [rax + 8], r11 ~ store the original return address in shell_param.function
     
        mov [rax + 16], rbx ~ preserve rbx in shell_param.rbx
        lea rbx, fixup
        mov [rax], rbx ~ store address of fixup label in shell_param.trampoline
        mov rbx, rax ~ preserve address of shell_param in rbx
        
        jmp r10 ~ call shell_param.function
     
    fixup:
        sub rsp, 16
        mov rcx, rbx ~ restore address of shell_param
        mov rbx, [rcx + 16] ~ restore rbx from shell_param.rbx
        jmp QWORD PTR [rcx + 8] ~ jmp to the original return address
    _spoofer_stub ENDP
     
    END

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

https://www.unknowncheats.me/forum/anti-cheat-bypass/268039-x64-return-address-spoofing-source-explanation.html