Invoke functions with a spoofed return address. For 32-bit Windows binaries.
- Include x86RetSpoof.h in your project.
- Find
FF 23
byte sequence (gadget
, machine code equivalent ofjmp dword ptr [ebx]
) in the executable code section of the module you want the spoofed return address to appear in. The address of it will be thegadgetAddress
and the invoked function will see it as the return address. - Call the function with
x86RetSpoof::invoke...()
matching the calling convention of the target function.
Calling MessageBoxW function:
x86RetSpoof::invokeStdcall<int>(std::uintptr_t(&MessageBoxW), std::uintptr_t(gadgetAddress), nullptr, L"text", L"title", MB_OK);