ROPInjector: To Convert Shellcode Into ROP

ROPInjector: To Convert Shellcode Into ROP

ROPInjector is a tool by which any shellcode can be converted into ROP and is written in C(Win32). It only supports 32-bit and the x86 instruction set.

ROPInjector is published in Blackhat USA 2015, Abbreviation of "ROPInjector: Return Oriented Programming for Polymorphism and Antivirus Evasion


If you need white paper then go to this link:

•(WhitePaper)


For presentation just need to visit this link:

•(Presentation)


How to Use it:

Usage

ropinjector <file-to-infect> <shellcode-file> <output-file>* [options]*

e.g.
ropinjector.exe firefox.exe revshell.txt

• file-to-infect : any 32-bit, non-packed PE
• shellcode-file : the shellcode to patch in the PE file
• output-file (optional) : The name of the output file. If not specified, ROPInjector will choose a suitable filename indicating the type of injection performed.
• options :


    text        Force reading of shellcode file as text file. Shellcode in text
                form must be in the \xHH\xHH\xHH format.

    norop       Don't transform shellcode to ROP.

    nounroll    Don't unroll SIBs.

    noinj       Don't inject missing gadgets.

    getpc       Don't replace getPC constructs in the shellcode.

    entry       Have shellcode run before the original PE code. Without this
                option, ROPInjector will try to hook calls to ExitProcess(),
                exit() and the like so that the shellcode runs last, right
                before process exit.

    -d<secs>    Number of seconds to Sleep() before executing the shellcode.
                When this option is specified, "entry" is also implicitly used.


The order of output with some comma-delimited stats in the end given by ROPInjector tool are:

• the carrier PE filename
• the output filename of the resulting patched file
• initial size of the PE file in bytes
• size of shellcode in bytes
• size of patch in bytes
• whether unroll is performed
• whether shellcode has been converted to ROP
• whether getPC constructs are replaced in the shellcode
• whether access is given to the shellcode during entry (run first) or during exit (run last)
• the delay the shellcode sleeps before it runs in seconds
• initial number of instructions in the shellcode
• number of instructions in the shellcode after unrolling and other manipulations, but before ROP
• number of instructions replaced by ROP gadgets (out of the ones in the previous metric, and not the initial number of instructions)
• number of gadgets injected
• number of gadget segments
• number of instructions replaced by injected gadgets


LICENSE

The license is under the GPLv2.0, You can also go to this link for further information (http://www.gnu.org/licenses/old-licenses/gpl-2.0.html).

Download