Windows ROP

General
VirtualAlloc Shellcode with RWX
Virtual Alloc can allocate memory or change the permissions on existing one.
LPVOID WINAPI VirtualAlloc(
 _In_opt_ LPVOID lpAddress,
 _In_ SIZE_T dwSize,
 _In_ DWORD flAllocationType,
 _In_ DWORD flProtect
);
The function address in kernel32 can be fetched from a modules IAT at runtime
WriteProcessMemory
BOOL WriteProcessMemory(
 HANDLE hProcess,
 LPVOID lpBaseAddress,
 LPCVOID lpBuffer,
 SIZE_T nSize,
 SIZE_T *lpNumberOfBytesWritten
);
WriteProcessMemory will automatically make the target Page writeable - so it is possible to copy to a RX Page and then jump there.
Resources
​https://h0mbre.github.io/Creating_Win32_ROP_Chains/#​

Windows ASLR

Windows SEH

Last modified 6mo ago