Skip to content

Invoke functions with a spoofed return address. For 32-bit Windows binaries. Supports __fastcall, __thiscall, __stdcall and __cdecl calling conventions. Written in C++17.

License

Notifications You must be signed in to change notification settings

danielkrupinski/x86RetSpoof

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

61 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

x86RetSpoof Windows

Invoke functions with a spoofed return address. For 32-bit Windows binaries.

How to use

  1. Include x86RetSpoof.h in your project.
  2. Find FF 23 byte sequence (gadget, machine code equivalent of jmp dword ptr [ebx]) in the executable code section of the module you want the spoofed return address to appear in. The address of it will be the gadgetAddress and the invoked function will see it as the return address.
  3. Call the function with x86RetSpoof::invoke...() matching the calling convention of the target function.

Example

Calling MessageBoxW function:

x86RetSpoof::invokeStdcall<int>(std::uintptr_t(&MessageBoxW), std::uintptr_t(gadgetAddress), nullptr, L"text", L"title", MB_OK);

About

Invoke functions with a spoofed return address. For 32-bit Windows binaries. Supports __fastcall, __thiscall, __stdcall and __cdecl calling conventions. Written in C++17.

Topics

Resources

License

Stars

Watchers

Forks