Process Injection Using Return-Oriented Programming
Return-oriented programming (ROP) is a code-reuse attack that uses borrowed chunks of executable code for arbitrary computation. On Windows, ROP is often used solely to bypass Data Execution Prevention, rather than realizing its full potential; indeed, the bulk of advanced, malicious functionality i...
Saved in:
| Main Authors: | , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
IEEE
2025-01-01
|
| Series: | IEEE Access |
| Subjects: | |
| Online Access: | https://ieeexplore.ieee.org/document/11095694/ |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Summary: | Return-oriented programming (ROP) is a code-reuse attack that uses borrowed chunks of executable code for arbitrary computation. On Windows, ROP is often used solely to bypass Data Execution Prevention, rather than realizing its full potential; indeed, the bulk of advanced, malicious functionality is typically invoked through shellcode. This paper demonstrates an approach to advanced process injection using only ROP that works without shellcode or higher-level code, providing significantly more advanced functionality than is typically achieved with ROP. We show how to generalize a complex exploit chain that invokes advanced malicious functionality through multiple function calls, each implemented solely with ROP. We generalize this approach by creating a library of nearly 150 parameter-loading patterns, making our ROP-only process-injection technique portable across dissimilar binaries. Previously, only a few APIs were documented with parameter-loading patterns, making advanced ROP techniques on Windows less straightforward. Experimental validation on several builds of modern Windows confirms our approach is reliable on modern Windows variants. This work advances the state of the art in offensive security and provides a foundation for future work in cyber defense and software exploitation. |
|---|---|
| ISSN: | 2169-3536 |