Analysis updated 2026-05-18
Build a red-team implant in Rust that makes NT syscalls appear to originate from signed Windows DLLs rather than injected code.
Resolve Windows system call numbers at runtime without hardcoding them, to avoid signature-based detection in research.
Study how call-stack spoofing works on Windows x64 as a defensive researcher analyzing EDR evasion techniques.
Test an EDR product's ability to detect indirect syscalls and ghost-frame stack spoofing using the provided examples.
| karkas66/lacuna-rs | bigsaltyfishes/wallpaper-engine-for-macos | ganten7/navi | |
|---|---|---|---|
| Stars | 12 | 12 | 12 |
| Language | Rust | Rust | Rust |
| Setup difficulty | hard | hard | moderate |
| Complexity | 5/5 | 4/5 | 3/5 |
| Audience | developer | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
Must set force-frame-pointers=yes in .cargo/config.toml for the consuming crate or the stack-spoof feature silently fails or corrupts the stack.
lacuna-rs is a Rust library for Windows that implements techniques used in security research and red-team testing to avoid detection by endpoint security software. It is a port of a C tool called LACUNA Chain. The library provides building blocks for crafting indirect system calls and for spoofing the call stack that Windows and security tools inspect when a process makes certain calls to the operating system. When security software like an endpoint detection and response (EDR) tool monitors a process, it often inspects the call stack: the sequence of code locations that led to a particular action. If a suspicious call appears to come from an unusual location, such as directly from injected code rather than a normal Windows library, an EDR may flag it. This library provides primitives for making such calls appear to originate from legitimate system code by planting fake return addresses from signed Windows DLLs into the call stack before the call is made. The library also handles resolving system call numbers at runtime (so hardcoded numbers from a specific Windows version are not needed), and encrypting call parameters through a hardware-breakpoint mechanism to further obscure what a call is doing from security hooks. The README is written for malware researchers, red teamers, and security engineers who understand Windows internals at a low level. It explicitly categorizes which NT API calls benefit most from this treatment and why. Using the stack-spoof feature requires compiling with frame pointers enabled, which is non-default in Rust, and the README explains the exact configuration required. This is a security research and red-team tool intended for authorized penetration testing, defensive research, and EDR evaluation environments.
A Rust library for Windows providing call-stack spoofing and indirect syscalls, used in security research to study and test how EDR tools detect injection techniques.
Mainly Rust. The stack also includes Rust, Windows API, x64 Assembly.
Setup difficulty is rated hard, with roughly 1h+ to a first successful run.
Mainly developer.
This repo across BitVibe Labs
Verify against the repo before relying on details.