Monday, 22 February 2016

ROPInjector: To Convert Shellcode Into ROP

ROPInjector: To Convert Shellcode Into ROP

ROPInjector: To Convert Shellcode Into ROP

ROPInjector is a tool by which any shellcode can be converted into ROP and is written in C(Win32). It only supports 32-bit and the x86 instruction set.

ROPInjector is published in Blackhat USA 2015, Abbreviation of "ROPInjector: Return Oriented Programming for Polymorphism and Antivirus Evasion

If you need white paper then go to this link:


For presentation just need to visit this link:


How to Use it:


ropinjector <file-to-infect> <shellcode-file> <output-file>* [options]*

ropinjector.exe firefox.exe revshell.txt

file-to-infect : any 32-bit, non-packed PE
shellcode-file : the shellcode to patch in the PE file
output-file (optional) : The name of the output file. If not specified, ROPInjector will choose a suitable filename indicating the type of injection performed.
options :

    text        Force reading of shellcode file as text file. Shellcode in text
                form must be in the \xHH\xHH\xHH format.

    norop       Don't transform shellcode to ROP.

    nounroll    Don't unroll SIBs.

    noinj       Don't inject missing gadgets.

    getpc       Don't replace getPC constructs in the shellcode.

    entry       Have shellcode run before the original PE code. Without this
                option, ROPInjector will try to hook calls to ExitProcess(),
                exit() and the like so that the shellcode runs last, right
                before process exit.

    -d<secs>    Number of seconds to Sleep() before executing the shellcode.
                When this option is specified, "entry" is also implicitly used.

The order of output with some comma-delimited stats in the end given by ROPInjector tool are:

the carrier PE filename
the output filename of the resulting patched file
initial size of the PE file in bytes
size of shellcode in bytes
size of patch in bytes
whether unroll is performed
whether shellcode has been converted to ROP
whether getPC constructs are replaced in the shellcode
whether access is given to the shellcode during entry (run first) or during exit (run last)
the delay the shellcode sleeps before it runs in seconds
initial number of instructions in the shellcode
number of instructions in the shellcode after unrolling and other manipulations, but before ROP
number of instructions replaced by ROP gadgets (out of the ones in the previous metric, and not the initial number of instructions)
number of gadgets injected
number of gadget segments
number of instructions replaced by injected gadgets


The license is under the GPLv2.0, You can also go to this link for further information (



Post a Comment

Toggle Footer