Abstract
Return-oriented programming (ROP) is a code-reuse attack that uses borrowed chunks of executable code for arbitrary computation. OnWindows, ROP is often used solely to bypass Data Execution Prevention, rather than realizing its full potential; indeed, the bulk of advanced, malicious functionality is typically invoked through shellcode. This paper demonstrates an approach to advanced process injection using only ROP that works without shellcode or higher-level code, providing significantly more advanced functionality than is typically achieved with ROP. We show how to generalize a complex exploit chain that invokes advanced malicious functionality consisting of multiple function calls that are made using only ROP. We generalize this approach by creating a library of nearly 150 parameter-loading patterns, thereby making process injection as a complete ROP technique portable across multiple, dissimilar binaries. Previously, only a few APIs were documented with parameter-loading patterns, making advanced ROP techniques on Windows less straightforward. Experimental validation on several Windows builds confirms our approach is reliable on the modern Windows operating system. This work advances the state-of-the-art in offensive security, offering a foundation for future research, both defensively and in software exploitation.