A new version of SindriKit (1.3.0) introduces advanced techniques designed to evade modern Endpoint Detection and Response (EDR) solutions.
Earlier versions focused on using indirect system calls to bypass user-mode API hooks. However, today’s EDR platforms have evolved and now analyze call stacks, Event Tracing for Windows (ETW), and execution flow to identify suspicious behavior.
To counter these detection methods, SindriKit 1.3.0 adds dynamic call stack spoofing, allowing malicious execution to appear as though it originated from legitimate Windows components.
How the Technique Works
Modern EDR solutions don’t just monitor API calls—they also inspect the execution path that leads to a system call.
Even when malware invokes a legitimate Windows function, security products can detect abnormal return addresses or unexpected call chains, revealing malicious activity.
SindriKit 1.3.0 addresses this by generating a legitimate-looking call stack before executing a system call.
The framework performs several steps automatically, including:
- Parsing Windows exception handling information.
- Identifying legitimate functions with large stack allocations (“Fat Frames”).
- Selecting trusted return addresses from Windows modules.
- Randomizing stack layouts to avoid predictable execution patterns.
This allows the execution flow to closely resemble normal Windows behavior.
Call Stack Layout
Researchers explained that SindriKit’s MASM-based loader builds a carefully crafted JMP trampoline that creates a legitimate-looking call stack. This enables the execution flow to appear normal to both the Windows processor and EDR solutions that analyze call stacks.
; Top-of-stack spoofing layout
mov [rsp+0], r8 ; Trampoline Gadget (RET in Fat Frame)
lea rax, SyscallCleanup
mov [rsp+8], rax ; True return address (payload cleanup)
mov rax, [rbp+16] ; Original caller return address
mov [rsp+r12+8], rax ; r12 = spoof_frame_size
Instead of returning directly to attacker-controlled memory, execution passes through legitimate Windows stack frames. This makes the call chain appear more consistent during analysis and reduces the likelihood of detection by security products that inspect stack behavior.
Randomization Improves Stealth
Another key enhancement in SindriKit 1.3.0 is the use of randomization.
Rather than using the same stack layout every time, the framework dynamically selects different legitimate functions during execution.
This helps ensure that each system call follows a slightly different path, making behavioral detection more difficult and reducing the effectiveness of static call stack signatures.
After the system call finishes, execution first returns to the Trampoline Gadget, which immediately redirects control to SyscallCleanup inside the payload.
At the same time, Windows rebuilds the call stack using its exception handling information, making the execution path appear legitimate during stack analysis. This helps the spoofed call stack blend in with normal Windows activity.
On 64-bit (x64) systems, SindriKit dynamically creates this spoofed call stack for each execution. On 32-bit (x86) systems, where the required exception metadata is unavailable, the framework instead relies on predefined Windows functions and trusted return instructions to achieve a similar result.
Security Recommendations
Organizations should strengthen their defenses against advanced EDR evasion techniques by:
- Keeping EDR and endpoint security solutions up to date.
- Monitoring abnormal syscall and process execution behavior.
- Detecting unusual memory manipulation and call stack anomalies.
- Enabling ETW and behavioral monitoring where supported.
- Combining multiple detection methods instead of relying solely on signature-based protection.
- Regularly reviewing endpoint telemetry for suspicious activity.
The release of SindriKit 1.3.0 demonstrates how offensive security techniques continue to evolve alongside defensive technologies. As attackers adopt increasingly sophisticated evasion methods, organizations should focus on layered detection strategies and behavioral analysis to identify threats that traditional security mechanisms may overlook.