https://bigbingus.com/posts/Recent content in Posts on bigbingus.comHugo -- gohugo.ioen-usWed, 13 May 2026 00:00:00 -0500https://bigbingus.com/posts/stop-being-weird/Wed, 13 May 2026 00:00:00 -0500https://bigbingus.com/posts/stop-being-weird/<h2 id="background">Background</h2> <p>For the past few weeks I&rsquo;ve been experimenting with Control Flow Enforcement Technology (CET) mitigations and Elastic&rsquo;s call stack spoofing detections. Specifically their <a href="https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/windows/defense_evasion_api_call_via_jump_rop_gadget.toml">API Call via Jump ROP Gadget</a>, <a href="https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/windows/defense_evasion_stack_spoofing_via_rop_gadget_for_dll_load.toml">Stack Spoofing via ROP Gadget for Dll Load</a> and <a href="https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/windows/defense_evasion_stack_spoofing_via_rop_gadget_for_memory_api.toml">Stack Spoofing via ROP Gadget for Memory API</a> rules and I wanted to share my understanding of the current situation and a potential way forward.</p> <p><em>Code: <a href="https://github.com/Sizeable-Bingus/MassDriver">github.com/Sizeable-Bingus/MassDriver</a></em></p> <p><em>There are multiple ways of spoofing a call stack but I will be referring to what I see to be the most common which is gadget-based with synthetic frames.</em></p>