This folder contains a curated lab corpus for validating StackSentry detections. These files are intentionally suspicious and should be executed only in a controlled VM or malware-analysis lab.
Run every command from the repository root after building StackSentry.
Source build:
.\build.ps1The call stack values below are representative StackSentry stack summaries captured at the sensitive DLL-load event. ASLR, Windows build, loaded modules, and timeout timing can change offsets and occasionally the exact lower frames, but the suspicious pattern should remain the same.
First safe pass:
.\build\StackSentry64.exe /run sample.exe /quick /no-target-output /timeout 5000Strong default for suspicious loaders:
.\build\StackSentry64.exe /run sample.exe /max /no-target-output /timeout 10000Anti-evasion hunting bundle:
.\build\StackSentry64.exe /run sample.exe /max /hunt /no-target-output /timeout 15000Hidden proxy/gadget origin:
.\build\StackSentry64.exe /run sample.exe /max /regtrace /no-target-output /timeout 10000Network API use attribution is explicit and not part of /hunt:
.\build\StackSentry64.exe /run sample.exe /max /hunt /network-use-trace /no-target-output /timeout 30000Remote loader that injects into another process:
.\build\StackSentry64.exe /run loader.exe /max /follow-remote /regtrace /no-target-output /timeout 15000Keep the target alive after timeout for debugger inspection:
.\build\StackSentry64.exe /run target.exe /max /no-target-output /timeout 10000 /keep-aliveFull stack in one line, without repeated-frame compression:
.\build\StackSentry64.exe /run target.exe /max /inline-stack /no-target-output /timeout 10000Full stack frame-by-frame with module offsets:
.\build\StackSentry64.exe /run target.exe /max /full-stack /no-target-output /timeout 10000| File | Purpose |
|---|---|
sample_00_pic_runner.exe |
Runs a PIC payload passed after --. |
sample_01_pic_loadlibrary_proxy_runner.exe |
Runs a PIC payload after preloading nvwgf2umx.dll as a local gadget carrier. |
payload_01_pic_loadlibrary_proxy.bin |
PIC LoadLibrary proxy payload used with sample_01_pic_loadlibrary_proxy_runner.exe. |
sample_02_ldrloaddll_direct.exe |
Direct LdrLoadDll origin-trace test. |
sample_03_text_section_proxy.exe |
Shellcode/proxy execution from executable image .text. |
sample_04_text_section_code_cave.exe |
Code-cave gadget / modified image detection test. |
sample_05_dll_payload_host.exe |
Host that loads LoadInText.dll, then runs a DLL-mode payload. |
LoadInText.dll |
Dependency for sample_05_dll_payload_host.exe; keep this exact name. |
sample_06_veh_context_origin.exe |
VEH-context origin-correlation test. |
sample_07_silentmoon_direct.exe |
SilentMoonwalk-style stack spoofing, one-shot DLL load. |
sample_08_silentmoon_synthetic.exe |
Synthetic stack variant intended to remove the obvious unbacked tail frame. |
payload_09_silentmoon_rdi.bin |
Donut/RDI payload for SilentMoonwalk coverage. |
payload_10_silentmoon_rdi_synthetic.bin |
Donut/RDI synthetic-stack payload for stronger stack-spoofing coverage. |
sample_11_silentmoon_rdi_threaded.exe |
Threaded SilentMoonwalk/RDI harness. |
payload_12_byoud_rdi.bin |
Donut/RDI BYOUD payload. |
byoud.dll |
Dependency for the BYOUD payload; keep this exact name. |
sample_13_massdriver_dispatch.exe |
MassDriver-like cross-thread function dispatch test. |
sample_14_threadpool_chain.exe |
Threadpool callback-chain proxy test. |
sample_15_remote_victim.exe |
Remote-injection victim process. |
sample_16_remote_shellcode_injector.exe |
Injector for sample_15_remote_victim.exe; pass the victim PID. |
sample_17_network_reuse_probe.exe |
Reuses an already-loaded network DLL from private executable memory. |
nvwgf2umx.dll |
Support DLL used by gadget-search payloads on machines without a suitable local module. |
.\build\StackSentry64.exe /run .\samples\sample_01_pic_loadlibrary_proxy_runner.exe /max /regtrace /no-target-output /timeout 25000 -- .\samples\payload_01_pic_loadlibrary_proxy.binExpected DLL-load stack:
wininet:
kernelbase.dll|kernelbase.dll|nvwgf2umx.dll|ntdll.dll|ntdll.dll|kernel32.dll|ntdll.dll
Expected attribution:
source: register_trace_thread_start kind=thread_start_origin
origin: Unbacked
.\build\StackSentry64.exe /run .\samples\sample_02_ldrloaddll_direct.exe /max /regtrace /no-target-output /timeout 9000Expected DLL-load stack:
wininet.dll:
Unbacked
Expected attribution:
source: execution_guard kind=proxy_transfer
origin: sample_02_ldrloaddll_direct.exe
.\build\StackSentry64.exe /run .\samples\sample_03_text_section_proxy.exe /max /hunt /no-target-output /timeout 13000Expected DLL-load stack:
wininet:
kernelbase.dll|kernelbase.dll|nvwgf2umx.dll|ntdll.dll|ntdll.dll|kernel32.dll|ntdll.dll
Expected attribution:
source: register_trace_thread_start kind=thread_start_origin
origin: sample_03_text_section_proxy.exe
.\build\StackSentry64.exe /run .\samples\sample_04_text_section_code_cave.exe /max /hunt /no-target-output /timeout 13000Expected DLL-load stack:
wininet:
kernelbase.dll|kernelbase.dll|BackedModified
Expected attribution:
source: temporal_image_stomp kind=image_stomp_origin
modified module: ucrtbased.dll or another writable code-cave target
.\build\StackSentry64.exe /run .\samples\sample_05_dll_payload_host.exe /max /regtrace /no-target-output /timeout 13000Expected DLL-load stack:
wininet:
kernelbase.dll|kernelbase.dll|nvwgf2umx.dll|ntdll.dll|ntdll.dll|kernel32.dll|ntdll.dll
Expected attribution:
source: execution_guard kind=proxy_transfer
origin: LoadInText.dll
.\build\StackSentry64.exe /run .\samples\sample_06_veh_context_origin.exe /regtrace /no-target-output /timeout 13000This sample uses a VEH exception path to redirect RIP before the proxy DLL load. /regtrace tracks the dynamic executable transition and correlates the redirected RIP back to the origin that disappears from the final DLL-load stack.
Expected DLL-load stack:
wininet:
kernelbase.dll|kernelbase.dll|nvwgf2umx.dll|ntdll.dll|ntdll.dll|kernel32.dll|ntdll.dll
Expected attribution:
source: veh_context kind=veh_rip_origin
origin: VEH redirected RIP that is absent from the final DLL-load stack
.\build\StackSentry64.exe /run .\samples\sample_07_silentmoon_direct.exe /max /stack-audit /regtrace /no-target-output /timeout 9000Expected DLL-load stack:
wininet.dll:
kernelbase.dll|kernelbase.dll|kernelbase.dll|kernelbase.dll|kernelbase.dll|kernelbase.dll|kernel32.dll|ntdll.dll
Expected detection:
rules: stack_audit_return_frame_without_matching_call, sensitive_dll_load_origin_hidden_by_register_trace
source: execution_guard kind=proxy_transfer
.\build\StackSentry64.exe /run .\samples\sample_08_silentmoon_synthetic.exe /max /stack-audit /regtrace /no-target-output /timeout 9000Expected DLL-load stack:
ws2_32.dll:
kernelbase.dll|kernelbase.dll|kernelbase.dll|kernelbase.dll|kernel32.dll|ntdll.dll
Expected detection:
rules: return_address_without_plausible_callsite, stack_audit_return_frame_without_matching_call
source: execution_guard kind=proxy_transfer
.\build\StackSentry64.exe /run .\samples\sample_00_pic_runner.exe /max /stack-audit /regtrace /no-target-output /timeout 12000 -- .\samples\payload_09_silentmoon_rdi.binExpected DLL-load stacks:
wininet.dll:
kernelbase.dll|kernelbase.dll|Unbacked
mscoree.dll:
kernelbase.dll|kernelbase.dll|Unbacked
ws2_32.dll:
kernelbase.dll|kernelbase.dll|kernelbase.dll|kernelbase.dll|kernelbase.dll|kernelbase.dll|Unbacked
The wininet.dll and mscoree.dll loads usually come from the Donut/RDI bootstrap. The ws2_32.dll load is the SilentMoonwalk test stage.
.\build\StackSentry64.exe /run .\samples\sample_00_pic_runner.exe /max /stack-audit /regtrace /memory-audit /no-target-output /timeout 12000 -- .\samples\payload_10_silentmoon_rdi_synthetic.binExpected DLL-load stacks:
wininet.dll:
kernelbase.dll|kernelbase.dll|Unbacked
mscoree.dll:
kernelbase.dll|kernelbase.dll|Unbacked
ws2_32.dll:
kernelbase.dll|kernelbase.dll|kernelbase.dll|kernelbase.dll|kernel32.dll|ntdll.dll
This is one of the strongest screenshot samples because the final ws2_32.dll stack can look fully backed while StackSentry still attributes the hidden origin.
.\build\StackSentry64.exe /run .\samples\sample_11_silentmoon_rdi_threaded.exe /max /stack-audit /regtrace /memory-audit /no-target-output /timeout 12000Expected DLL-load stacks:
wininet.dll:
kernelbase.dll|kernelbase.dll|Unbacked
mscoree.dll:
kernelbase.dll|kernelbase.dll|Unbacked
ws2_32.dll:
kernelbase.dll|kernelbase.dll|kernelbase.dll|kernelbase.dll|kernelbase.dll|kernelbase.dll|Unbacked
.\build\StackSentry64.exe /run .\samples\sample_00_pic_runner.exe /max /hunt /no-target-output /timeout 30000 -- .\samples\payload_12_byoud_rdi.binExpected bootstrap DLL-load stacks:
wininet.dll:
kernelbase.dll|kernelbase.dll|Unbacked
mscoree.dll:
kernelbase.dll|kernelbase.dll|Unbacked
Expected BYOUD target-stage DLL-load stack when the payload reaches the network DLL call:
ws2_32.dll:
kernelbase.dll|kernelbase.dll|ntdll.dll|kernelbase.dll|kernel32.dll|ntdll.dll
Expected BYOUD findings:
rules: byoud_runtime_function_unwind_hijack
rules: byoud_unwind_info_tampered
source: byoud_register_trace kind=byoud_hidden_loader_origin
origin: byoud hidden loader context
byoud_unwind_section_protection_changed may also appear when the monitor observes the protection transition around unwind metadata, but the core proof for this sample is the runtime-function / unwind-info divergence plus the ws2_32.dll load attributed through byoud_register_trace.
The BYOUD stage is more timing-sensitive than the smaller samples. If only the bootstrap loads appear, rerun with a longer timeout.
.\build\StackSentry64.exe /run .\samples\sample_13_massdriver_dispatch.exe /max /dispatch-trace /regtrace /no-target-output /timeout 12000Expected DLL-load stack:
wininet.dll:
kernelbase.dll|kernelbase.dll|sample_13_massdriver_dispatch.exe|kernel32.dll|ntdll.dll
Expected dispatch trace:
source: thread_message_dispatch kind=function_proxy_dispatch
requester: Unbacked
worker caller: sample_13_massdriver_dispatch.exe
function: LoadLibraryA
argument: wininet.dll
.\build\StackSentry64.exe /run .\samples\sample_14_threadpool_chain.exe /max /threadpool-chain-trace /no-target-output /timeout 12000Expected DLL-load stack:
winhttp.dll:
kernelbase.dll|kernelbase.dll|wininet.dll|kernelbase.dll|ntdll.dll|kernelbase.dll|ntdll.dll|ntdll.dll|kernel32.dll|ntdll.dll
Expected attribution:
source: threadpool_chain_context kind=threadpool_chain_context
origin: sample_14_threadpool_chain.exe
visible caller: wininet.dll or another clean gadget module
This sample requires /threadpool-chain-trace. /hunt does not enable the threadpool chain hooks by default, so a run without this flag may show the DLL load in external tools while StackSentry stays quiet.
Start the victim first, capture its PID, then run the injector under StackSentry:
$victim = Start-Process .\samples\sample_15_remote_victim.exe -PassThru
.\build\StackSentry64.exe /run .\samples\sample_16_remote_shellcode_injector.exe /max /follow-remote /regtrace /no-target-output /timeout 18000 -- $($victim.Id)Expected remote-follow telemetry:
remote_follow:OpenProcess:<victim pid>
remote_follow:NtCreateThreadEx:<victim pid>
remote_follow:SetThreadContext:<victim pid>
remote_follow:ResumeThread:<victim pid>
Optional DLL-load stack in the instrumented victim, when the injected payload reaches the network DLL load:
wininet:
kernelbase.dll|kernelbase.dll|nvwgf2umx.dll|ntdll.dll|ntdll.dll|kernel32.dll|ntdll.dll
Clean up the victim if it is still running:
Stop-Process -Id $victim.Id -Force.\build\StackSentry64.exe /run .\samples\sample_17_network_reuse_probe.exe /max /network-use-trace /no-target-output /timeout 8000Expected network-use stack:
ws2_32.dll!getaddrinfo:
Unbacked
Expected detection:
rules: network_api_called_from_unbacked_executable_memory
caller: Unbacked