Skip to content
/ x86RetSpoof Public
forked from danielkrupinski/x86RetSpoof

Invoke functions with a spoofed return address. For 32-bit Windows binaries. Supports __fastcall, __thiscall, __stdcall and __cdecl calling conventions. Written in C++17.

License

MIT license
0 stars 31 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

gmh5225/x86RetSpoof

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

49 Commits

.github/workflows

.github/workflows

 
 

Tests

Tests

 
 

CMakeLists.txt

CMakeLists.txt

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

x86RetSpoof.h

x86RetSpoof.h

 
 

Repository files navigation

x86RetSpoof Windows

Invoke functions with a spoofed return address. For 32-bit Windows binaries.

How to use

  1. Include x86RetSpoof.h in your project.
  2. Find FF 23 byte sequence (gadget, machine code equivalent of jmp dword ptr [ebx]) in the executable code section of the module you want the spoofed return address to appear in. The address of it will be the gadgetAddress and the invoked function will see it as the return address.
  3. Call the function with x86RetSpoof::invoke...() matching the calling convention of the target function.

Example

Calling MessageBoxW function:

x86RetSpoof::invokeStdcall<int>(std::uintptr_t(&MessageBoxW), std::uintptr_t(gadgetAddress), nullptr, L"text", L"title", MB_OK);

About

Invoke functions with a spoofed return address. For 32-bit Windows binaries. Supports __fastcall, __thiscall, __stdcall and __cdecl calling conventions. Written in C++17.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • C++ 95.6%
  • CMake 4.4%