Skip to content

Tool for classifying and chaining ROP gadgets in Windows binaries.

Notifications You must be signed in to change notification settings

aas-n/ropweaver

Repository files navigation


Ropweaver
Ropweaver

Linking gadgets, weaving exploits.

Index

Title Description
About Brief Description about the tool
Installation Installation and Requirements
Usage Ropweaver usage
Semantic About semantic
Examples Examples
Changelog Ropweaver changelog
Disclaimer Disclaimer

About

ropweaver is a straightforward, unpretentious tool developed as part of my OSED certification journey. It classifies and chains ROP gadgets in Windows binaries, supporting semantic-based searches, bad byte filtering, and organized gadget categorization.

Installation

git clone https://github.com/aas-n/ropweaver.git
pip install argparse

Usage

python ropweaver.py <filename> [options]
Options
<filename>: R++ file output containing the list of gadgets.
-b, --bad-bytes: Specify bad bytes to exclude from the gadgets, e.g., '00 0a 0b 0d'.
-c, --no-color: Disable colored output.
-l, --limit: Limit the number of gadgets displayed per category.
-s, --semantic: Search for gadgets matching a specific semantic instruction, e.g., 'eax <- ecx' or '[edi] <- ecx'.
-a, --virtualaddress: The virtual address of the module in hexadecimal (-a '0x10000000').
-v, --debug: Enable verbose output for debugging.

Semantic

Semantic allows you to find and chain gadgets based on pseudo code.

-s 'eax <- ecx'           # mov eax, ecx
-s '[eax] <- ecx'         # mov [eax], ecx or mov dword ptr [eax], ecx
-s 'eax <- [ecx]'         # mov eax, [ecx] or mov eax, dword ptr [ecx]
-s 'eax <-> ecx'          # xchg eax, ecx
-s 'eax + ecx'            # add eax, ecx
-s 'eax - ecx'            # sub eax, ecx
-s 'eax <- 0'             # xor eax, eax;
-s 'eax <- ecx + offset   # offset two complement; pop ecx; ret; sub eax, ecx; ret;
-s 'eax++'                # inc eax;
-s 'eax--'                # dec eax;
-s 'neg eax'              # neg eax;

Examples

Ropweaver

Ropweaver

Changelog

Version 0.1
=============
[ ] add advanced chaining
[ ] add variations to categories
[x] add baseAddress option
[x] support windows r++ outputs
[x] support linux r++ outputs
[x] add basic chaining
[x] add semantic eax <- ecx + offset and eax <- ecx offset
[x] add gadget categorization
[x] add gadget filtering
[x] add no-color to make grep easier
[x] add semantic mode
[x] add debug mode

Disclaimer

This tool was developed as part of my OSED certification journey and is intended for educational and research purposes only. Use it responsibly.

About

Tool for classifying and chaining ROP gadgets in Windows binaries.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages