Black Hat Europe 2025 | Ghost In The Stack: Evolving Call Stack Spoofing In A Post-CET Era

Stack spoofing is a sophisticated technique that manipulates a thread's call stack so that code execution appears to originate from a different, benign location. In 2023, with StackMoonwalk, we presented a novel approach to this that slipped through common stack-based detection logic. Since then, we've watched defenders build on that research to expand telemetry and design more robust detectors. At the same time, we've seen increased adoption of hardware-backed mitigations (HSP|CET), which could offer another source of truth to spot this technique. Two years later, we asked ourselves whether it was finally time for stack spoofing to die. Well... it wasn't. The talk begins in today's non-HSP environments, exploring modern detection frameworks built on call stack analysis and showing how fragile assumptions make them easy to bypass in practice. As proof, we introduce a new technique based on Moonwalk and a new primitive, proxy frames, to exploit these gaps. However, as clever as these methods are, their ROP-based primitives are welcomed by a crash the moment HSP/CET comes into play. This pushed our research back to square one: could stack spoofing be rebuilt to survive CET enforcement? The result is the first known CET-compliant stack spoofing framework (BYOUD), delivered in three functional variants across distinct execution architectures. We first demonstrate how the framework can alter call stack resolution without triggering CP exceptions and then introduce the State-Driven Indirect Execution Architecture (SDIE), which takes the concept further to achieve a full HSP bypass. We will conclude our talk by outlining the key lessons learned throughout this research: why overreliance on any single, emerging mitigation is dangerous, and how fragile design assumptions in detection logic can turn into blind spots. We will also provide concrete strategies and countermeasures so defenders can build stronger, more resilient detection capable of catching the presented techniques. By: Alessandro Magnosi | Senior Security Consultant, SpecterOps https://blackhat.com/eu-25/briefings/...

Black Hat Europe 2025 | Breaking AI Inference Systems: Lessons From Pwn2Own Berlin
▶︎

Black Hat Europe 2025 | Breaking AI Inference Systems: Lessons From Pwn2Own Berlin

Zig 2026: No-AI Policy, $670K Foundation, Left GitHub & Why Zig Isn’t 1.0 - Andrew Kelley Explains
▶︎

Zig 2026: No-AI Policy, $670K Foundation, Left GitHub & Why Zig Isn’t 1.0 - Andrew Kelley Explains

Keynote: After the AI Hype – What’s Real, and What’s Next - Richard Campbell - 2026
▶︎

Keynote: After the AI Hype – What’s Real, and What’s Next - Richard Campbell - 2026

DEF CON 33 - Kill List: Hacking an Assassination Site on the Dark Web - Carl Miller, Chris Monteiro
▶︎

DEF CON 33 - Kill List: Hacking an Assassination Site on the Dark Web - Carl Miller, Chris Monteiro

Attacking AI - Jason Haddix - NDC Security 2026
▶︎

Attacking AI - Jason Haddix - NDC Security 2026

Violence Expert: Real Self-Defense Is TERRIFYING
▶︎

Violence Expert: Real Self-Defense Is TERRIFYING

Software architecture, human judgment, and AI's limits with Grady Booch
▶︎

Software architecture, human judgment, and AI's limits with Grady Booch

THESE Apps Are SPYING on You — Shut Them Off NOW!
▶︎

THESE Apps Are SPYING on You — Shut Them Off NOW!

The AI Story Is Collapsing (Thanks To China)
▶︎

The AI Story Is Collapsing (Thanks To China)

Android 17 sucks. So I put Linux on a phone.
▶︎

Android 17 sucks. So I put Linux on a phone.

When Stupid Cops Mess With FBI Agent
▶︎

When Stupid Cops Mess With FBI Agent

Co-Creator of Haskell: Functional Programming, Thinking in Types, Useless Languages | Simon Jones
▶︎

Co-Creator of Haskell: Functional Programming, Thinking in Types, Useless Languages | Simon Jones

The Big Short (2015): The Jenga Scene – Explaining the Financial Collapse
▶︎

The Big Short (2015): The Jenga Scene – Explaining the Financial Collapse

Something is jamming GPS over Europe. Here's what we found
▶︎

Something is jamming GPS over Europe. Here's what we found

Don't Hang Up On AI Scammers. Do THIS Instead.
▶︎

Don't Hang Up On AI Scammers. Do THIS Instead.

Black Hat Europe 2025 | How We Turned AI's 'Web Browsing' Into A Gateway For Targeting 1B+ Users
▶︎

Black Hat Europe 2025 | How We Turned AI's 'Web Browsing' Into A Gateway For Targeting 1B+ Users

Is the AfD a threat to Germany? Mehdi Hasan & Maximilian Krah | Head to Head
▶︎

Is the AfD a threat to Germany? Mehdi Hasan & Maximilian Krah | Head to Head

Ilya Sutskever – We're moving from the age of scaling to the age of research
▶︎

Ilya Sutskever – We're moving from the age of scaling to the age of research

How to See Every Phone on a Cell Tower (LTE Recon)
▶︎

How to See Every Phone on a Cell Tower (LTE Recon)

The Story of C++: The World's Most Consequential Programming Language | The Official Story
▶︎

The Story of C++: The World's Most Consequential Programming Language | The Official Story