Bring Your Own Unwinding Data (BYOUD)

Researcher Klez has demonstrated a technique for manipulating Windows stack unwind metadata. This allows an attacker to forge the call stack on systems with Intel CET enabled, without altering return addresses.

The approach is based on the separation between CET (Control-flow Enforcement Technology) and Windows stack unwinding: CET enforces return-flow integrity, while Windows stack unwinding operates independently through exception metadata. By modifying unwind metadata, an attacker can craft legitimate-looking call stacks while still remaining compliant with CET. The technique can be used to evade EDR detection.

📎 Article: https://klezvirus.github.io/posts/Byoud/

📎 PoC: https://github.com/klezVirus/byoud

💬 Discuss