Invoke functions with a spoofed return address. For 32-bit Windows binaries. Supports __fastcall, __thiscall, __stdcall and __cdecl calling conventions. Written in C++17.
MIT License
Invoke functions with a spoofed return address. For 32-bit Windows binaries.
FF 23
byte sequence (gadget
, machine code equivalent of jmp dword ptr [ebx]
) in the executable code section of the module you want the spoofed return address to appear in. The address of it will be the gadgetAddress
and the invoked function will see it as the return address.x86RetSpoof::invoke...()
matching the calling convention of the target function.Calling MessageBoxW function:
x86RetSpoof::invokeStdcall<int>(std::uintptr_t(&MessageBoxW), std::uintptr_t(gadgetAddress), nullptr, L"text", L"title", MB_OK);