whatisgithub

What is stacksentry?

vith0r/stacksentry — explained in plain English

Analysis updated 2026-05-18

12C++Audience · researcherComplexity · 4/5Setup · hard

In one sentence

A Windows research tool that watches a running process and flags when its call stack looks manipulated to hide where risky code actually loaded from.

Mindmap

A visual breakdown will appear here once this repo is fully enriched.

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Load a suspicious sample in a lab and watch which libraries it loads and from where.

USE CASE 2

Detect call stack spoofing techniques used by loaders and remote access tools.

USE CASE 3

Collect memory dumps, hashes, and structured evidence files for later analysis.

USE CASE 4

Compare this tool's findings against other detection tools during triage.

What is it built with?

C++Windows

How does it compare?

vith0r/stacksentrybigattichouse/packed-twin-inferencecommonmugger/steam-controller-remapper
Stars121212
LanguageC++C++C++
Setup difficultyhardhardmoderate
Complexity4/53/5
Audienceresearcherdevelopergeneral

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · hard Time to first run · 1h+

Requires building and running on Windows with DLL injection into a target process, intended for lab environments only.

So what is it?

StackSentry is a Windows security research tool written in C++ that monitors a running process for suspicious behavior, specifically focusing on how and where code loads network-related libraries and whether the call stack has been manipulated to hide that origin. It is aimed at security researchers and malware analysts working in lab environments, not at production endpoint protection. The tool starts a target process, injects a lightweight monitor DLL into it, and watches for events as they happen. Its central question is: when a library like ws2_32.dll or winhttp.dll gets loaded into a process, what code actually caused that load, and is the call stack showing an honest answer? Malicious loaders, remote access tools, and fileless shellcode sometimes manipulate the call stack using gadgets, threadpool chains, callbacks, or synthetic frames to make the load appear to come from a legitimate location rather than from private memory. StackSentry checks for frames that execute from memory regions not backed by a known image file on disk, frames inside image regions whose live bytes differ from what the file on disk contains, signs of unwind metadata tampering, and other indicators that the reported call origin has been obscured. When it finds something suspicious, it collects memory dumps, hashes, entropy measurements, and structured output files (events.jsonl, summary.json, memory.json) so the analyst can examine the evidence. The tool does not install a kernel driver and does not make persistent changes to the system. The authors describe its output as triage evidence to compare with other tools, not as a definitive verdict. It is still under active development and false positives and false negatives are possible. A gallery of detection examples in the README shows the tool catching known evasion techniques including synthetic call stacks, unwind metadata spoofing, and threadpool callback chains, each demonstrated with purpose-built lab samples.

Copy-paste prompts

Prompt 1
Explain how StackSentry detects call stack spoofing and what a synthetic frame is.
Prompt 2
Walk me through injecting StackSentry's monitor DLL into a target process for lab testing.
Prompt 3
What do the events.jsonl, summary.json, and memory.json output files from StackSentry contain?
Prompt 4
Help me set up a safe lab environment to test StackSentry against a known evasion sample.

Frequently asked questions

What is stacksentry?

A Windows research tool that watches a running process and flags when its call stack looks manipulated to hide where risky code actually loaded from.

What language is stacksentry written in?

Mainly C++. The stack also includes C++, Windows.

How hard is stacksentry to set up?

Setup difficulty is rated hard, with roughly 1h+ to a first successful run.

Who is stacksentry for?

Mainly researcher.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.