Hackers of India

ROP ROCKET: Advanced Framework for Return-Oriented Programming

By Shiva Shashank , Bramwell Brizendine on 06 Aug 2025 @ Blackhat : Arsenal
💻 Source Code 🔗 Link
reverse-engineering exploitation pentesting vulnerability-management security-architecture binary-analysis
Focus Areas: Malware Analysis , Penetration Testing , Reverse Engineering , Security Architecture , Vulnerability Management
This Tool Demo covers following tools where the speaker has contributed or authored
ROP-ROCKET

Abstract

ROP ROCKET is a groundbreaking, next-generation tool for Return-Oriented Programming (ROP), boasting unparalleled capabilities. This tool introduces several innovative techniques, including a novel approach to invoking Heaven’s Gate via ROP, which facilitates the transition from x86 to x64 architecture, and invoking Windows syscalls via ROP to evade Data Execution Prevention (DEP), eliminating the need for less stealthy Windows API functions.

The focal point of this tool is automatic ROP chain generation—constructing complete ROP exploits. Moreover, with this tool, we pioneer several new ROP techniques, including both x86 and x64 Heaven’s Gate and using Windows syscalls to bypass DEP. To overcome DEP, we automate chain generation for Windows syscalls NtAllocateVirtualMemory and NtProtectVirtualMemory. In addition, ROP ROCKET can avoid the need to bypass DEP by chaining multiple APIs together to achieve shellcode-like functionality.

For Black Hat Arsenal 2025, we will unveil support for building ROP chains for many new WinAPIs: WinExec, DeleteFileA, CreateToolhelp32Snapshot, URLDownloadToFileA, OpenProcess, Process32First, Process32Next, RegSetKeyValueA, RegCreateKeyA, WriteProcessMemory, HeapCreate, OpenSCManagerA, CreateServiceA, ShellExecuteA, CreateRemoteThread, VirtualAllocEx, TerminateProcess, and CreateProcessA. All will be available via automatic ROP chain construction using patterns with PUSHAD or a combination of PUSHAD coupled with mov dereferences, or the sniper approach.

One of the features of ROP ROCKET is the sheer diversity of possibilities in creating these chains, allowing unique and unusual combinations that traditionally might not be achievable by ROP chain automation. The tool uses extensive emulation to evaluate the fitness of individual ROP gadgets, allowing unusual or longer ROP gadgets to be used. It also builds, emulates, and debugs parts of some ROP chains internally to solve certain problems, allowing for ROP chains to be built with the mov dereference or sniper approach, rather than relying simply on the PUSHAD approach. Distances to certain function parameters can also be dynamically calculated and readjusted with emulation.

Sometimes a ROP chain is feasible only if a ROP gadget’s address is free of bad bytes. With ROP ROCKET, we provide a way to obfuscate gadgets, allowing the gadget address to be pushed onto the stack, decoded, and executed at runtime.

ROP ROCKET is built for performance, utilizing multiprocessing to harness a dozen or more cores. It also stores discovered gadgets from previously examined binaries, giving persistence across sessions. With all possible ROP gadgets—our raw ingredients—identified, ROP chains can be formed in seconds.

While ROP can be a complex topic, ROP ROCKET provides powerful capabilities to users. New for Black Hat Arsenal 2025, the tool will support over 100 patterns for different WinAPIs or syscalls, far exceeding the capabilities of other ROP generation tools.