# CET Spoofing Detection

This tool is a proof of concept aimed to detect stackspoofing within CET processes. It does this by comparing the shadow stack to the userstack and looks for missing frames.
There are some false positives when a process uses .NET. 


### Compilation

- assumes clang/++, cmake and ninja are in your path
- untested with MSVC.

## Build

```
cmake -B build -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ -G Ninja
cmake --build build
```

```text
PS C:\Users\dev\CLionProjects\CETSpoofingDetection> cmake -B build -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ -G Ninja
-- The C compiler identification is Clang 22.1.2 with GNU-like command-line
-- The CXX compiler identification is Clang 22.1.2 with GNU-like command-line
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working C compiler: C:/Program Files/LLVM/bin/clang.exe - skipped
-- Detecting C compile features
-- Detecting C compile features - done
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Check for working CXX compiler: C:/Program Files/LLVM/bin/clang++.exe - skipped
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Configuring done (4.7s)
-- Generating done (0.0s)
-- Build files have been written to: C:/Users/dev/CLionProjects/CETSpoofingDetection/build
PS C:\Users\dev\CLionProjects\CETSpoofingDetection> cmake --build build
[6/6] Linking CXX executable CETSpoofingDetection.exe
PS C:\Users\dev\CLionProjects\CETSpoofingDetection>
```

### Usage

Just run the application inside a terminal, it will take a snapshot of threads and iterate through, extract CET processes and them check the stacks of those.

Below is an example of using it against the BOYUD project : https://github.com/klezVirus/BYOUD

<img src="screenshots/udinject.jpg" width="600" />

The spoofed callstack

<img src="screenshots/callstack.jpg" width="600" />

Detection from the tool.

<img src="screenshots/alert.jpg" width="600" />