BYOUD

March 15, 2026 · View on GitHub

BYOUD is a framework for x64 stack spoofing on Windows. It tackles a complete opposite approach from classic stack spoofing, manipulating unwind metadata to hide arbitrary chunks of the call chain in debuggers and EDRs.

For a full technical breakdown of how it works, see the blog post.


Techniques

#NameDescription
1UNWIND_DATA_TAMPERModifies the target function's UNWIND_INFO in place to expand the frame size
2UNWIND_DATA_HIJACKReplaces the UnwindData RVA of the target's RUNTIME_FUNCTION with a donor's
3RT_FUNCTION_HIJACKHijacks an existing .pdata entry to cover the shellcode's address range
4RT_FUNCTION_INJECTAppends a new RUNTIME_FUNCTION and UNWIND_INFO to the module's exception directory
5RTFI_JIT_SYSINFORMERRegisters a dynamic RUNTIME_FUNCTION via RtlAddFunctionTable with cache bypass — visible to SystemInformer
6RTFI_JIT_WINDBGSame as above with additional LdrpInvertedFunctionTable manipulation — visible to WinDbg
7RTFI_JIT_NORMAL_VARegisters a dynamic RUNTIME_FUNCTION for shellcode in a plain VirtualAlloc'd region

Techniques 1–4 and 7 work correctly regardless of /GS compilation settings. Techniques 5 and 6 have known issues when the calling DLL is compiled with stack cookies. Compile with /GS- to avoid this.


Components

byoud.dll — the framework. Exposes ShieldedExecution (runs a technique end-to-end) and CallGate (the assembly stub copied into target modules).

udinject.exe — test harness for exercising the framework, inspecting stack traces, and validating unwind behavior across techniques.


For everything else, see the blog post.

References and Acknowledgements