| CARVIEW |
Select Language
HTTP/2 301
date: Sun, 27 Jul 2025 20:55:42 GMT
content-type: text/html; charset=utf-8
content-length: 0
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With,Accept-Encoding, Accept, X-Requested-With
location: https://github.com/Cisco-Talos/ROPMEMU/wiki/Tutorial---ropemu
cache-control: no-cache
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 0
referrer-policy: origin-when-cross-origin, strict-origin-when-cross-origin
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
server: github.com
set-cookie: _gh_sess=HWAJHguGYvph4mrqBddvh%2B7a8BbWwW3XQNAKc2JIhTXNBU24vbZyl9YjYbgdLaR1YVOiwgW4HkprXzlQbYRQo79z0TGAP9%2BNp8N9en4k3TaPfTpVk3IFh6cRx2V%2BrwiiyyzPzCGQij4YvjT0jHshi%2BE%2B9CsllIZw0SZmWC32BOEAAi%2BU4xYHEPrwIaxwOzvx03eaFMLKLl0HTQm2bhgCK66AmXyp5TO1FKaBWCcA9jVkFh56rDFlG6yjDDOH9m7W0GBw%2BHuI14oZk76V95WYuQ%3D%3D--C348B6b7dYGJxZF%2B--LHfK3zzeRDA1nz%2F5ymsO%2Bg%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _octo=GH1.1.965558536.1753649742; Path=/; Domain=github.com; Expires=Mon, 27 Jul 2026 20:55:42 GMT; Secure; SameSite=Lax
set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Mon, 27 Jul 2026 20:55:42 GMT; HttpOnly; Secure; SameSite=Lax
x-github-request-id: B84C:93466:8322FE:AC723D:6886924E
HTTP/2 200
date: Sun, 27 Jul 2025 20:55:42 GMT
content-type: text/html; charset=utf-8
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With,Accept-Encoding, Accept, X-Requested-With
x-robots-tag: none
etag: W/"f4dba4bdb1fe895e1d82ea1d9d1b664d"
cache-control: max-age=0, private, must-revalidate
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 0
referrer-policy: no-referrer-when-downgrade
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
server: github.com
content-encoding: gzip
accept-ranges: bytes
x-github-request-id: B84C:93466:832314:AC7252:6886924E
Tutorial ropemu · Cisco-Talos/ROPMEMU Wiki · GitHub
Skip to content
Navigation Menu
{{ message }}
-
Notifications
You must be signed in to change notification settings - Fork 42
Tutorial ropemu
magrazia edited this page May 24, 2016
·
1 revision
In the first part of this tutorial ropemu is presented. ropmemu implements the emulation phase and it is one of the core components of the framework. It generates JSON traces containing the CPU context and the shadow stack (the memory context). It is a Volatility plugin able to follow gadget by gadget a ROP chain. The emulation part is implemented on top of the Unicorn emulator and Capstone as disassembly library.
In the first two cases we observe the different execution modes.
In the first example we execute the first ten gadgets of the copy chain in full emulation mode.
In the second example, we re-start the execution from a given gadget (gadget number 10) by loading the CPU context from the a previous run containing 20 gadgets generated like in the first example.
02:15:56 emdel -> time python vol.py ropemu -f ../rop_dumps/0/rkrop_pmem_raw_0x00.ram --profile Linuxubuntu-serverx64x64 -o /tmp/20 -I 0xffffffff816a9438 -S 0xffff88001b800000 -n 10 --dtb=62967808
Volatility Foundation Volatility Framework 2.3.1
[+] Initial IP: 0xffffffff816a9438
[+] Initial SP: 0xffff88001b800000
[+] Gadget 1 at 0xffff88001b800000
| 0xffffffff816a9438 | ret
[+] Gadget 2 at 0xffff88001b800008
| 0xffffffff8100a4de | pop rax
| 0xffffffff8100a4df | ret
[+] Gadget 3 at 0xffff88001b800018
| 0xffffffff8115c832 | mov qword ptr [rax], rdx
| 0xffffffff8115c835 | ret
[+] Gadget 4 at 0xffff88001b800020
| 0xffffffff8100a4de | pop rax
| 0xffffffff8100a4df | ret
[+] Gadget 5 at 0xffff88001b800030
| 0xffffffff81060147 | mov rdx, rcx
| 0xffffffff8106014a | ret
[+] Gadget 6 at 0xffff88001b800038
| 0xffffffff8115c832 | mov qword ptr [rax], rdx
| 0xffffffff8115c835 | ret
[+] Gadget 7 at 0xffff88001b800040
| 0xffffffff810051ae | pop rcx
| 0xffffffff810051af | ret
[+] Gadget 8 at 0xffff88001b800050
| 0xffffffff812ce029 | pop rdx
| 0xffffffff812ce02a | ret
[+] Gadget 9 at 0xffff88001b800060
| 0xffffffff81352d33 | add rsp, 0x10
| 0xffffffff81352d37 | ret
[+] Gadget 10 at 0xffff88001b800078
| 0xffffffff8143bc09 | sub rsp, 8
| 0xffffffff8143bc0d | call rdx
[+] /tmp/20_hwcontext.json generated
real 0m2.112s
user 0m1.956s
sys 0m0.136s
03:10:51 emdel -> time python vol.py ropemu -f ../rop_dumps/0/rkrop_pmem_raw_0x00.ram --profile Linuxubuntu-serverx64x64 -o /tmp/lol -I 0xffffffff8143bc09 -S 0xffff88001b800078 -n 21 -G 10 -i /tmp/20_hwcontext.json --dtb=62967808
Volatility Foundation Volatility Framework 2.3.1
[+] Initial IP: 0xffffffff8143bc09
[+] Initial SP: 0xffff88001b800078
[+] Loading hardware context from: /tmp/20_hwcontext.json
[+] Gadget 10 at 0xffff88001b800078
| 0xffffffff8143bc09 | sub rsp, 8
| 0xffffffff8143bc0d | call rdx
[+] Gadget 11 at 0xffff88001b800068
| 0xffffffff81626b6e | mov rdx, rbx
| 0xffffffff81626b71 | call rcx
[+] Gadget 12 at 0xffff88001b800060
| 0xffffffff816a9434 | add rsp, 0x38
| 0xffffffff816a9438 | ret
[+] Gadget 13 at 0xffff88001b8000a0
| 0xffffffff8100a4de | pop rax
| 0xffffffff8100a4df | ret
[+] Gadget 14 at 0xffff88001b8000b0
| 0xffffffff8115c832 | mov qword ptr [rax], rdx
| 0xffffffff8115c835 | ret
[+] Gadget 15 at 0xffff88001b8000b8
| 0xffffffff812ca859 | pop rbx
| 0xffffffff812ca85a | ret
[+] Gadget 16 at 0xffff88001b8000c8
| 0xffffffff812ce029 | pop rdx
| 0xffffffff812ce02a | ret
[+] Gadget 17 at 0xffff88001b8000d8
| 0xffffffff81352d33 | add rsp, 0x10
| 0xffffffff81352d37 | ret
[+] Gadget 18 at 0xffff88001b8000f0
| 0xffffffff8143bc09 | sub rsp, 8
| 0xffffffff8143bc0d | call rdx
[+] Gadget 19 at 0xffff88001b8000e0
| 0xffffffff815852e3 | mov rdx, rsi
| 0xffffffff815852e6 | mov esi, r8d
| 0xffffffff815852e9 | call rbx
[+] Gadget 20 at 0xffff88001b8000d8
| 0xffffffff816a9434 | add rsp, 0x38
| 0xffffffff816a9438 | ret
[+] Gadget 21 at 0xffff88001b800118
| 0xffffffff8100a4de | pop rax
| 0xffffffff8100a4df | ret
[+] /tmp/lol_hwcontext.json generated
real 0m2.149s
user 0m1.972s
sys 0m0.172s
The first two gadgets of /tmp/20_hwcontext.json:
{
"0xffff88001b800000-1": {
"0xffffffff816a9438": {
"ret ": {
"EAX": "0x0",
"EBP": "0x0",
"EBX": "0x0",
"ECX": "0x0",
"EDI": "0x0",
"EDX": "0x0",
"EFLAGS": "0x0",
"ESI": "0x0",
"RAX": "0x0",
"RBP": "0x0",
"RBX": "0x0",
"RCX": "0x0",
"RDI": "0x0",
"RDX": "0x0",
"RSI": "0x0",
"R8": "0x0",
"R9": "0x0",
"R10": "0x0",
"R11": "0x0",
"R12": "0x0",
"R13": "0x0",
"R14": "0x0",
"R15": "0x0",
"RSP": "0xffff88001b800008",
"ESP": "0x1b800008",
"RIP": "0xffffffff8100a4de",
"EIP": "0x8100a4de"
}
}
},
"0xffff88001b800008-2": {
"0xffffffff8100a4de": {
"pop rax": {
"EAX": "0x1bc00000",
"EBP": "0x0",
"EBX": "0x0",
"ECX": "0x0",
"EDI": "0x0",
"EDX": "0x0",
"EFLAGS": "0x0",
"ESI": "0x0",
"RAX": "0xffff88001bc00000",
"RBP": "0x0",
"RBX": "0x0",
"RCX": "0x0",
"RDI": "0x0",
"RDX": "0x0",
"RSI": "0x0",
"R8": "0x0",
"R9": "0x0",
"R10": "0x0",
"R11": "0x0",
"R12": "0x0",
"R13": "0x0",
"R14": "0x0",
"R15": "0x0",
"RSP": "0xffff88001b800010",
"ESP": "0x1b800010",
"RIP": "0xffffffff8100a4df",
"EIP": "0x8100a4df"
}
},
"0xffffffff8100a4df": {
"ret ": {
"EAX": "0x1bc00000",
"EBP": "0x0",
"EBX": "0x0",
"ECX": "0x0",
"EDI": "0x0",
"EDX": "0x0",
"EFLAGS": "0x0",
"ESI": "0x0",
"RAX": "0xffff88001bc00000",
"RBP": "0x0",
"RBX": "0x0",
"RCX": "0x0",
"RDI": "0x0",
"RDX": "0x0",
"RSI": "0x0",
"R8": "0x0",
"R9": "0x0",
"R10": "0x0",
"R11": "0x0",
"R12": "0x0",
"R13": "0x0",
"R14": "0x0",
"R15": "0x0",
"RSP": "0xffff88001b800018",
"ESP": "0x1b800018",
"RIP": "0xffffffff8115c832",
"EIP": "0x8115c832"
}
}
},
...
ROPMEMU Framework
Clone this wiki locally
You can’t perform that action at this time.