Load a suspicious sample in a lab and watch which libraries it loads and from where.
Detect call stack spoofing techniques used by loaders and remote access tools.
Collect memory dumps, hashes, and structured evidence files for later analysis.
Compare this tool's findings against other detection tools during triage.
| vith0r/stacksentry | bigattichouse/packed-twin-inference | commonmugger/steam-controller-remapper | |
|---|---|---|---|
| Stars | 12 | 12 | 12 |
| Language | C++ | C++ | C++ |
| Setup difficulty | hard | hard | moderate |
| Complexity | 4/5 | — | 3/5 |
| Audience | researcher | developer | general |
Figures from each repo's GitHub metadata at analysis time.
Requires building and running on Windows with DLL injection into a target process, intended for lab environments only.
StackSentry is a Windows security research tool written in C++ that monitors a running process for suspicious behavior, specifically focusing on how and where code loads network-related libraries and whether the call stack has been manipulated to hide that origin. It is aimed at security researchers and malware analysts working in lab environments, not at production endpoint protection. The tool starts a target process, injects a lightweight monitor DLL into it, and watches for events as they happen. Its central question is: when a library like ws2_32.dll or winhttp.dll gets loaded into a process, what code actually caused that load, and is the call stack showing an honest answer? Malicious loaders, remote access tools, and fileless shellcode sometimes manipulate the call stack using gadgets, threadpool chains, callbacks, or synthetic frames to make the load appear to come from a legitimate location rather than from private memory. StackSentry checks for frames that execute from memory regions not backed by a known image file on disk, frames inside image regions whose live bytes differ from what the file on disk contains, signs of unwind metadata tampering, and other indicators that the reported call origin has been obscured. When it finds something suspicious, it collects memory dumps, hashes, entropy measurements, and structured output files (events.jsonl, summary.json, memory.json) so the analyst can examine the evidence. The tool does not install a kernel driver and does not make persistent changes to the system. The authors describe its output as triage evidence to compare with other tools, not as a definitive verdict. It is still under active development and false positives and false negatives are possible. A gallery of detection examples in the README shows the tool catching known evasion techniques including synthetic call stacks, unwind metadata spoofing, and threadpool callback chains, each demonstrated with purpose-built lab samples.
A Windows research tool that watches a running process and flags when its call stack looks manipulated to hide where risky code actually loaded from.
Mainly C++. The stack also includes C++, Windows.
Setup difficulty is rated hard, with roughly 1h+ to a first successful run.
Mainly researcher.
This repo across BitVibe Labs
Verify against the repo before relying on details.