Latest Threat ResearchGlassWorm Loader Hits Open VSX via Developer Account Compromise.Details
Socket
Book a DemoInstallSign in
Socket
Book a DemoInstallSign in

uwd

Package Overview
Dependencies
Maintainers
1
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

uwd

Source
crates.io
Version
0.2.0
Version published
Maintainers
1
Created
Source

uwd 🦀

Rust crate docs Forks Stars License

uwd (Unwind Desynchronizer) is a Rust library for call stack spoofing on Windows, allowing you to execute arbitrary functions with a forged call stack that evades analysis, logging, or detection during stack unwinding.

Inspired by SilentMoonwalk, this crate brings low-level spoofing capabilities into a clean, idiomatic Rust interface with full support for #[no_std], MSVC and GNU toolchains, and automated gadget resolution.

Table of Contents

Features

  • ✅ Call stack spoofing via Synthetic (Simulating a fake stack from scratch) and Desync (Reusing the thread's real stack)
  • ✅ Compatible with both MSVC and GNU toolchains (x86_64)
  • ✅ Inline macros: spoof!, spoof_synthetic!, syscall!, syscall_synthetic!
  • ✅ Supports #[no_std] environments (with alloc)

Installation

Add uwd to your project by updating your Cargo.toml:

cargo add uwd

Usage

uwd allows you to spoof the call stack in Rust when calling either standard Windows APIs or performing indirect syscalls. The library handles the full setup of fake frames, gadget chains, and register preparation to make execution appear as if it came from a legitimate source.

You can spoof:

  • Normal functions (like VirtualAlloc, WinExec, etc.)
  • Native syscalls with automatic SSN and stub resolution (like NtAllocateVirtualMemory)

The macros spoof! / spoof_synthetic! and syscall! / syscall_synthetic! abstract all the complexity.

Spoofing WinExec

This example shows how to spawn calc.exe using a spoofed call stack. We call WinExec twice once using the Desync technique, and again using the Synthetic one.

use dinvk::{GetModuleHandle, GetProcAddress};
use uwd::{spoof, spoof_synthetic};

fn main() -> Result<(), Box<dyn std::error::Error>> {
    // Resolves addresses of the WinAPI functions to be used
    let kernel32 = GetModuleHandle("kernel32.dll", None);
    let win_exec = GetProcAddress(kernel32, "WinExec", None);
    
    // Execute command with `WinExec`
    // Call Stack Spoofing (Desync)
    let cmd = c"calc.exe";
    let mut result = spoof!(win_exec, cmd.as_ptr(), 1)?;
    if result.is_null() {
        eprintln!("WinExec Failed");
        return Ok(());
    }

    // Call Stack Spoofing (Synthetic)
    result = spoof_synthetic!(win_exec, cmd.as_ptr(), 1)?;
    if result.is_null() {
        eprintln!("WinExec Failed [2]");
        return Ok(());
    }

    Ok(())
}

Spoofing an Indirect Syscall

This example performs a indirect system call to NtAllocateVirtualMemory with a spoofed call stack.

use std::{ffi::c_void, ptr::null_mut};
use uwd::{syscall, syscall_synthetic, AsUwd};

fn main() -> Result<(), Box<dyn std::error::Error>> {
    // Running indirect syscall with Call Stack Spoofing (Desync)
    let mut addr = null_mut::<c_void>();
    let mut size = (1 << 12) as usize;
    let mut status = syscall!("NtAllocateVirtualMemory", -1isize, addr.as_uwd_mut(), 0, size.as_uwd_mut(), 0x3000, 0x04)? as i32;
    if !(status >= 0) {
        eprintln!("NtAllocateVirtualMemory Failed With Status: {status:#X}");
        return Ok(())
    }

    println!("[+] Address allocated: {:?}", addr);

    // Running indirect syscall with Call Stack Spoofing (Synthetic)
    let mut addr = null_mut::<c_void>();
    let mut size = (1 << 12) as usize;
    status = syscall_synthetic!("NtAllocateVirtualMemory", -1isize, addr.as_uwd_mut(), 0, size.as_uwd_mut(), 0x3000, 0x04)? as i32;
    if !(status >= 0) {
        eprintln!("NtAllocateVirtualMemory Failed With Status [2]: {status:#X}");
        return Ok(())
    }

    println!("[+] Address allocated: {:?}", addr);

    Ok(())
}

Additional Resources

For more examples, check the examples folder in the repository.

Contributing to uwd

To contribute to uwd, follow these steps:

  • Fork this repository.
  • Create a branch: git checkout -b <branch_name>.
  • Make your changes and commit them: git commit -m '<commit_message>'.
  • Push your changes to your branch: git push origin <branch_name>.
  • Create a pull request.

Alternatively, consult the GitHub documentation on how to create a pull request.

References

I want to express my gratitude to these projects that inspired me to create uwd and contribute with some features:

Special thanks to:

License

This project is licensed under the MIT License. See the LICENSE file for details.

FAQs

Package last updated on 08 May 2025

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

The Next Open Source Security Race: Triage at Machine Speed

Security News

The Next Open Source Security Race: Triage at Machine Speed

Claude Opus 4.6 has uncovered more than 500 open source vulnerabilities, raising new considerations for disclosure, triage, and patching at scale.

By Sarah Gooding  -  Feb 06, 2026
Malicious dYdX Packages Published to npm and PyPI After Maintainer Compromise

Research

/

Security News

Malicious dYdX Packages Published to npm and PyPI After Maintainer Compromise

Malicious dYdX client packages were published to npm and PyPI after a maintainer compromise, enabling wallet credential theft and remote code execution.

By Kush Pandya  -  Feb 06, 2026