A tool written in C (Win32) to convert any shellcode in ROP and patch it into a given portable executable (PE). It supports only 32-bit target PEs and the x86 instruction set.
Published in Blackhat USA 2015, "ROPInjector: Using Return Oriented Programming for Polymorphism and Antivirus Evasion" More info:
ropinjector <file-to-infect> <shellcode-file> <output-file>* [options]*
(* denotes optional arguments)
ropinjector.exe firefox.exe revshell.txt
file-to-infect : any 32-bit, non-packed PE
shellcode-file : the shellcode to patch in the PE file
output-file (optional) : The name of the output file. If not specified, ROPInjector will choose a suitable filename indicating the type of injection performed.
text Force reading of shellcode file as text file. Shellcode in text form must be in the \xHH\xHH\xHH format. norop Don't transform shellcode to ROP. nounroll Don't unroll SIBs. noinj Don't inject missing gadgets. getpc Don't replace getPC constructs in the shellcode. entry Have shellcode run before the original PE code. Without this option, ROPInjector will try to hook calls to ExitProcess(), exit() and the like so that the shellcode runs last, right before process exit. -d<secs> Number of seconds to Sleep() before executing the shellcode. When this option is specified, "entry" is also implicitly used.
ROPInjector will output some comma-delimited stats in the end. These are (in order of appearance):
Download _ ROPInjector _