A memory scanning evasion technique
Switch branches/tags
Nothing to show
Clone or download
JLospinoso Merge pull request #10 from ccooper21/rop_gadget_search
[Issue #9] Search for the ROP gadget in "mshtml.dll" at run-time instead of using hard coded offsets
Latest commit 38416e4 May 23, 2017
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore Draft images Mar 4, 2017
Gargoyle.sln Windows x86 POC Mar 4, 2017
Gargoyle.vcxproj [Issue #9] Search for the ROP gadget in "mshtml.dll" at run-time instead May 23, 2017
Gargoyle.vcxproj.filters Upgrading to VS2017 Mar 8, 2017
LICENSE
README.md Merge branch 'master' of github.com:jlospinoso/gargoyle Mar 8, 2017
gadget.nasm
gargoyle.png
infographic.png
infographic_web.png 800px Mar 4, 2017
main.cpp [Issue #9] Search for the ROP gadget in "mshtml.dll" at run-time instead May 23, 2017
setup.nasm Improving comment Mar 4, 2017
title.png

README.md

gargoyle title

gargoyle infographic

Building gargoyle

gargoyle is only implemented for 32-bit Windows (64-bit Windows on Windows is fine). You must have the following installed:

  • Visual Studio: 2017 Community is tested, but it may work for other versions.
  • Netwide Assembler v2.12.02 x64 is tested, but it may work for other versions. Make sure nasm.exe is on your path.

Clone gargoyle:

git clone https://github.com/JLospinoso/gargoyle.git

Open Gargoyle.sln, build, and run. There is some harness code in main.cpp that configures the following three components:

  • gargoyle stack trampoline, stack, and configuration (read/write memory on the heap)
  • gargoyle position independent code (PIC) that receives the ROP gadget/stack trampoline and runs arbitrary code
  • A ROP gadget. If you have mshtml.dll, gargoyle will load it into memory and use it. If it is not available, you will have to tell gargoyle to allocate its own (3-byte) ROP gadget on the heap:
// main.cpp
auto use_mshtml{ true };
auto gadget_memory = get_gadget(use_mshtml, gadget_pic_path);

Every 15 seconds, gargoyle will pop up a message box. When you click ok, gargoyle sets up the tail calls to mark itself non-executable and to wait for the timer. For fun, use Sysinternals's excellent VMMap tool to examine when gargoyle's PIC is executable. If a message box is active, gargoyle will be executable. If it is not, gargoyle should not be executable. The PIC's address is printed to stdout just before the harness calls into the PIC.

More information

See the blog post available at lospi.net for more information.

Also feel free to hop on gitter: Join the chat at https://gitter.im/grgyl/Lobby