x86RetSpoof Windows

Invoke functions with a spoofed return address. For 32-bit Windows binaries.

How to use

  1. Include x86RetSpoof.h in your project.
  2. Find FF 23 byte sequence (gadget, machine code equivalent of jmp dword ptr [ebx]) in the executable code section of the module you want the spoofed return address to appear in. The address of it will be the gadgetAddress and the invoked function will see it as the return address.
  3. Call the function with x86RetSpoof::invoke...() matching the calling convention of the target function.


Calling MessageBoxW function:

x86RetSpoof::invokeStdcall<int>(std::uintptr_t(&MessageBoxW), std::uintptr_t(gadgetAddress), nullptr, L"text", L"title", MB_OK);


View Github