thyrn90/eulogy

GitHub: thyrn90/eulogy

Stars: 0 | Forks: 0

# EULOGY 🪦 [![Language](https://img.shields.io/badge/Language-C++17-00599C.svg?style=flat-square&logo=c%2B%2B)]() [![Dependencies](https://img.shields.io/badge/Dependencies-Zero-brightgreen.svg?style=flat-square)]() [![Status](https://img.shields.io/badge/Status-Active-red.svg?style=flat-square)]() [![Author](https://img.shields.io/badge/Author-thyrn90-black.svg?style=flat-square)]() **Zero-Dependency x64 Call Stack Unwinder & Micro-Debugger** ## ⚙️ The Arsenal (Core Features) * **Zero-Dependency Hex Dumping:** Eulogy extracts and prints the raw 15-byte x64 instructions (OpCodes) directly from the target's memory. This bypasses encryption/packers and provides immediate context without requiring external disassembler libraries. * **Chained Unwind Navigation:** Heavily optimized C++ libraries (like ucrtbase.dll) split their stack frames across multiple tables. Eulogy perfectly tracks UNW_FLAG_CHAININFO and RBP (Frame Pointers) to navigate these complex Microsoft CRT bottlenecks without crashing. * **L1 Stack Caching (Zero Syscall Overhead):** Instead of choking the CPU with constant Ring-3 to Ring-0 context switches (ReadProcessMemory), Eulogy implements a 4KB bulk-read caching mechanism with a Guard Page fallback, reading the stack directly from its own local memory at lightning speed. * **O(log n) Binary Search:** Locates the exact RUNTIME_FUNCTION entry within the .pdata directory in milliseconds, preventing O(n) iteration lag on massive executable files. * **Strict RAII & ABI Alignment:** Built with absolute respect for the Windows x64 ABI. Features alignas(16) on CPU contexts to prevent silent ERROR_NOACCESS API failures, and strictly manages thread handles to prevent zombie locks. ## 📸 Visual Proof (The Autopsy) ![Eulogy Call Stack Trace](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/be0bea8aac132043.png) ## 🚀 Quick Start (Compilation & Usage) Eulogy requires no external package managers. It uses pure Windows APIs. 1. Compile the Source: Using MinGW / GCC (Ensure C++17 standard is enabled): g++ -std=c++17 -O2 main.cpp -o eulogy.exe -ldbghelp (Note: dbghelp is only linked to resolve human-readable symbol names, not to perform the actual stack unwinding). 2. Execute the Trace: Find your target's Process ID (PID) and pass it to Eulogy. ./eulogy.exe ## 🧠 Architectural Limitations (Trade-offs) A professional tool acknowledges its boundaries. Eulogy is built for speed and stealth, which comes with inherent architectural trade-offs: **Header Stomping Vulnerability:** Eulogy relies on VirtualQueryEx to locate the AllocationBase and subsequently parse the DOS/NT headers (MZ/PE). If the target malware utilizes aggressive Reflective DLL Injection or actively wipes its own headers from memory (Header Stomping), the .pdata directory cannot be located. **OS-Level Deadlocks:** Eulogy uses SuspendThread to capture the CPU context. If the target thread is suspended while holding a critical OS lock (e.g., inside the Windows Heap Manager), it may cause a deadlock. This is an unavoidable reality of User-Mode (Ring-3) debugging. **Stripped Symbols:** While Eulogy will perfectly calculate the RVA and dump the raw OpCodes, the function names (like UnknownFunction) will remain unresolved if the target does not have an accompanying PDB file. ## ⚖️ License This project is licensed under the MIT License - see the LICENSE file for details.