// Synthetic Stack Frame Evasion
Master synthetic call stack construction for EDR evasion. Learn how Beacon Object Files, x64 stack unwinding metadata, JMP RBX gadgets, and indirect syscalls combine to make shellcode calls look like legitimate Windows thread initialization. By NtDallas.
How EDRs walk the call stack, detect unbacked memory, and why shellcode API calls look suspicious to kernel callbacks.
02 BeginnerWhat BOFs are, how Cobalt Strike loads them, in-process execution, and the BOF API. Why Draugr is a BOF.
03 BeginnerRUNTIME_FUNCTION, UNWIND_INFO, UNWIND_CODEs, RtlVirtualUnwind, and how Windows navigates the call stack without frame pointers.
04 IntermediateSyscall stub pattern matching, neighbor-based fallback for hooked stubs, and jumping to the syscall instruction in ntdll.
05 IntermediateStub.s walkthrough: register preservation, stack argument copying, and the five-phase execution model from init to cleanup.
06 AdvancedBuilding fake frames for BaseThreadInitThunk and RtlUserThreadStart. UNWIND_CODE parsing, frame size calculation, and three-layer stack layout.
07 AdvancedJMP [RBX] gadget discovery in kernelbase.dll, the PRM structure, fixup routine, and seamless return to the caller.
08 AdvancedEnd-to-end flow, Intel CET/Shadow Stacks, BeaconGate integration, Eden UDRL, and comparison with ThreadStackSpoofer, SilentMoonWalk, and WithSecure.
github.com/NtDallas/Draugrgithub.com/susMdT/LoudSunRungithub.com/klezVirus/SilentMoonwalkgithub.com/mgeeky/ThreadStackSpoofergithub.com/WithSecureLabs/CallStackSpoofergithub.com/Cobalt-Strike/edengithub.com/NtDallas/OdinLdrlearn.microsoft.com/en-us/cpp/build/exception-handling-x64