explaingit

karkas66/lacuna-rs

Analysis updated 2026-05-18

12RustAudience · developerComplexity · 5/5Setup · hard

TLDR

A Rust library for Windows providing call-stack spoofing and indirect syscalls, used in security research to study and test how EDR tools detect injection techniques.

Mindmap

mindmap
  root((lacuna-rs))
    What it does
      Call stack spoofing
      Indirect syscalls
      Param encryption
    Techniques
      Ghost frame planting
      SSN resolution
      VEH hardware BP
    Targets
      Windows x64
      EDR research
    Tech
      Rust
      Windows NT API
      x64 assembly
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Build a red-team implant in Rust that makes NT syscalls appear to originate from signed Windows DLLs rather than injected code.

USE CASE 2

Resolve Windows system call numbers at runtime without hardcoding them, to avoid signature-based detection in research.

USE CASE 3

Study how call-stack spoofing works on Windows x64 as a defensive researcher analyzing EDR evasion techniques.

USE CASE 4

Test an EDR product's ability to detect indirect syscalls and ghost-frame stack spoofing using the provided examples.

What is it built with?

RustWindows APIx64 Assembly

How does it compare?

karkas66/lacuna-rsbigsaltyfishes/wallpaper-engine-for-macosganten7/navi
Stars121212
LanguageRustRustRust
Setup difficultyhardhardmoderate
Complexity5/54/53/5
Audiencedeveloperdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · hard Time to first run · 1h+

Must set force-frame-pointers=yes in .cargo/config.toml for the consuming crate or the stack-spoof feature silently fails or corrupts the stack.

In plain English

lacuna-rs is a Rust library for Windows that implements techniques used in security research and red-team testing to avoid detection by endpoint security software. It is a port of a C tool called LACUNA Chain. The library provides building blocks for crafting indirect system calls and for spoofing the call stack that Windows and security tools inspect when a process makes certain calls to the operating system. When security software like an endpoint detection and response (EDR) tool monitors a process, it often inspects the call stack: the sequence of code locations that led to a particular action. If a suspicious call appears to come from an unusual location, such as directly from injected code rather than a normal Windows library, an EDR may flag it. This library provides primitives for making such calls appear to originate from legitimate system code by planting fake return addresses from signed Windows DLLs into the call stack before the call is made. The library also handles resolving system call numbers at runtime (so hardcoded numbers from a specific Windows version are not needed), and encrypting call parameters through a hardware-breakpoint mechanism to further obscure what a call is doing from security hooks. The README is written for malware researchers, red teamers, and security engineers who understand Windows internals at a low level. It explicitly categorizes which NT API calls benefit most from this treatment and why. Using the stack-spoof feature requires compiling with frame pointers enabled, which is non-default in Rust, and the README explains the exact configuration required. This is a security research and red-team tool intended for authorized penetration testing, defensive research, and EDR evaluation environments.

Copy-paste prompts

Prompt 1
Using Karkas66/lacuna-rs in Rust, show me how to resolve the SSN and syscall,ret address for NtOpenProcess and emit an indirect call stub.
Prompt 2
Walk me through the .cargo/config.toml frame-pointer setting needed to use the stack-spoof feature in lacuna-rs without silently corrupting the stack.
Prompt 3
How does the ghost-frame chain in lacuna-rs work and what Windows DLL regions does build_chain scan for ghost regions?
Prompt 4
Show me how to use lacuna-rs to plant ghost frames, arm VEH parameter encryption, make an indirect syscall, and restore the stack.
Prompt 5
What is the thread-scoring algorithm in lacuna-rs inject_sapc and how does it select the best APC target threads?

Frequently asked questions

What is lacuna-rs?

A Rust library for Windows providing call-stack spoofing and indirect syscalls, used in security research to study and test how EDR tools detect injection techniques.

What language is lacuna-rs written in?

Mainly Rust. The stack also includes Rust, Windows API, x64 Assembly.

How hard is lacuna-rs to set up?

Setup difficulty is rated hard, with roughly 1h+ to a first successful run.

Who is lacuna-rs for?

Mainly developer.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Scan in gitsafehub Deploy in gitdeployhub karkas66 on gitmyhub

Verify against the repo before relying on details.