Crate uwd 

uwd

Rust library for call stack spoofing on Windows, allowing you to execute arbitrary functions with a forged call stack that evades analysis, logging, or detection during stack unwinding.

Inspired by SilentMoonwalk, this crate brings low-level spoofing capabilities into a clean, idiomatic Rust interface with full support for #[no_std], MSVC and GNU toolchains, and automated gadget resolution.

Features

• ✅ Call stack spoofing via Synthetic and Desync.
• ✅ Compatible with both MSVC and GNU toolchains (x64).
• ✅ Inline macros: spoof! / syscall!.
• ✅ Supports #[no_std] environments (with alloc).

To enable Desync mode, activate the desync feature in your project, the macros will automatically use Desync behavior when the feature is enabled.

Getting started

Add uwd to your project by updating your Cargo.toml:

cargo add uwd

Usage

uwd allows you to spoof the call stack in Rust when calling either standard Windows APIs or performing indirect syscalls. The library handles the full setup of fake frames, gadget chains, and register preparation to make execution appear as if it came from a legitimate source.

You can spoof:

• Normal functions (like VirtualAlloc, WinExec, etc.)
• Native syscalls with automatic SSN and stub resolution (like NtAllocateVirtualMemory)

Spoofing WinExec

This example shows how to spawn calc.exe using a spoofed call stack. We call WinExec twice once using the Desync technique, and again using the Synthetic one.

use dinvk::module::{get_module_address, get_proc_address};
use uwd::spoof;

// Resolves addresses of the WinAPI functions to be used
let kernel32 = get_module_address("kernel32.dll", None);
let win_exec = get_proc_address(kernel32, "WinExec", None);

// Execute command with `WinExec`
let cmd = c"calc.exe";
let mut result = spoof!(win_exec, cmd.as_ptr(), 1)?;
if result.is_null() {
    eprintln!("WinExec Failed");
    return Ok(());
}

Spoofing an Indirect Syscall

This example performs a indirect system call to NtAllocateVirtualMemory with a spoofed call stack.

use std::{ffi::c_void, ptr::null_mut};
use dinvk::winapis::NT_SUCCESS;
use uwd::{syscall, AsPointer};

// Running indirect syscall with Call Stack Spoofing
let mut addr = null_mut::<c_void>();
let mut size = (1 << 12) as usize;
let mut status = syscall!("NtAllocateVirtualMemory", -1isize, addr.as_ptr_mut(), 0, size.as_ptr_mut(), 0x3000, 0x04)? as i32;
if !NT_SUCCESS(status) {
    eprintln!("[-] NtAllocateVirtualMemory Failed With Status: {status:#X}");
    return Ok(())
}

println!("[+] Address allocated: {:?}", addr);

References

I want to express my gratitude to these projects that inspired me to create uwd and contribute with some features:

• SilentMoonwalk

Special thanks to:

• Kudaes
• Klez
• Waldo-IRC
• Trickster0
• namazso

License

uwd is licensed under either of

• Apache License, Version 2.0, (LICENSE-APACHE or https://www.apache.org/licenses/LICENSE-2.0)
• MIT license (LICENSE-MIT or https://opensource.org/licenses/MIT)

at your option.

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in uwd by you, as defined in the Apache-2.0 license, shall be dually licensed as above, without any additional terms or conditions.

Macros

spoof

Invokes a function using a synthetic spoofed call stack.

syscall

Invokes a Windows native syscall using a spoofed stack.

Enums

SpoofKind

Specifies the spoofing mode used by the engine.

Traits

AsPointer

Trait for safely converting any reference or mutable reference into a raw pointer usable in spoofing routines.

Functions

ignoring_set_fpreg

Computes the total stack frame size of a function while ignoring any setfp frames. Useful for identifying spoof-compatible RUNTIME_FUNCTION entries.

rbp_offset

Determines whether RBP is pushed or saved in a spoof-compatible manner and computes the total stack size for a function.

stack_frame

Computes stack frame metadata while rejecting setfp frames.