If you want code that does assembly operations A, B, and then C, you might be able to accomplish it by scanning loaded memory (or its corresponding binary) for bits that, when translated into assembly, do:
A
D
return
This set of three instructions is a gadget. In practice, it’s a location in memory.
And then you find another gadget.
B
C
return
Then, if you don’t care about D, or D does something irrelevant that won’t screw up what you’re trying to do, or won’t crash the program, you can replace the stack with the addresses of gadgets one and two. When gadget one returns, the stack is popped and then gadget two executes.
Since the computer did ADBC and D was irrelevant, the system executed your ABC malware and now you win.
Is finding gadgets that execute actual malware hard? Surprisingly not!
Do you know what a memory stack and assembly are?
If you want code that does assembly operations A, B, and then C, you might be able to accomplish it by scanning loaded memory (or its corresponding binary) for bits that, when translated into assembly, do:
A
D
return
This set of three instructions is a gadget. In practice, it’s a location in memory.
And then you find another gadget.
B
C
return
Then, if you don’t care about D, or D does something irrelevant that won’t screw up what you’re trying to do, or won’t crash the program, you can replace the stack with the addresses of gadgets one and two. When gadget one returns, the stack is popped and then gadget two executes.
Since the computer did ADBC and D was irrelevant, the system executed your ABC malware and now you win.
Is finding gadgets that execute actual malware hard? Surprisingly not!