Transforming malicious code to ROP gadgets for antivirus evasion

Transforming malicious code to ROP gadgets for antivirus evasion

For access to this article, please select a purchase option:

Buy article PDF
(plus tax if applicable)
Buy Knowledge Pack
10 articles for $120.00
(plus taxes if applicable)

IET members benefit from discounts to all IET publications and free access to E&T Magazine. If you are an IET member, log in to your account and the discounts will automatically be applied.

Learn more about IET membership 

Recommend Title Publication to library

You must fill out fields marked with: *

Librarian details
Your details
Why are you recommending this title?
Select reason:
IET Information Security — Recommend this title to your library

Thank you

Your recommendation has been sent to your librarian.

This study advances research in offensive technology by proposing return oriented programming (ROP) as a means to achieve code obfuscation. The key inspiration is that ROP's unique structure poses various challenges to malware analysis compared to traditional shellcode inspection and detection. The proposed ROP-based attack vector provides two unique features: (i) the ability to automatically analyse and generate equivalent ROP chains for a given code, and (ii) the ability to reuse legitimate code found in an executable in the form of ROP gadgets. To this end, a software tool named ROPInjector was developed which, given any piece of shellcode and any legitimate executable file, it transforms the shellcode to its ROP equivalent re-using the available code in the executable and finally patches the ROP chain infecting the executable. After trying various combinations of evasion techniques, the results show that ROPInjector can evade nearly and completely all antivirus software employed in the online VirusTotal service, making ROP an effective ingredient for code obfuscation. This attack vector poses a serious threat which malicious actors can take advantage to perform cyber-attack campaigns.


    1. 1)
      • 1. Shacham, H.: ‘The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)’. Proc. of the 14th ACM Conf. on Computer and Communications Security, Alexandria, VA, USA, 2007.
    2. 2)
      • 2. Vogl, S., Pfoh, J., Kittel, T., et al: ‘Persistent data-only malware: function hooks without code’. NDSS, San Diego, CA, USA, 2014.
    3. 3)
      • 3. Ma, H., Lu, K., Ma, X., et al: ‘Software watermarking using return-oriented programming’. Proc. of the 10th ACM Symp. on Information, Computer and Communications Security, Denver, CO, USA, 2015.
    4. 4)
      • 4. Lu, K., Xiong, S., Gao, D.: ‘Ropsteg: program steganography with return oriented programming’. Proc. of the 4th ACM Conf. on Data and Application Security and Privacy, San Antonio, TX, USA, 2014.
    5. 5)
      • 5. Andriesse, D., Bos, H., Slowinska, A.: ‘Parallax: implicit code integrity verification using return-oriented programming’. 2015 45th Annual IEEE/IFIP Int. Conf. on Dependable Systems and Networks, Rio de Janeiro, Brazil, 2015.
    6. 6)
      • 6. Poulios, G., Ntantogian, C., Xenakis, C.: ‘Ropinjector: using return oriented programming for polymorphism and antivirus evasion’. Blackhat USA, Las Vegas, NV, USA, 2015.
    7. 7)
      • 7. Mu, D., Guo, J., Ding, W., et al: ‘ROPOB: obfuscating binary code via return oriented programming’. Int. Conf. on Security and Privacy in Communication Systems, Cham, 2017.
    8. 8)
      • 8. Borrello, P., Coppa, E., D'Elia, D.C., et al: ‘The ROP needle: hiding trigger-based injection vectors via code reuse’. 34th ACM/SIGAPP Symp. on Applied Computing, Limassol, Cyprus, April 2019.
    9. 9)
      • 9. Mohan, V., Hamlen, K.W.: ‘Frankenstein: stitching malware from benign binaries’. USENIX Workshop on Offensive Technologies (WOOT 2012), Bellevue, WA, USA, 2012, pp. 7784.
    10. 10)
      • 10. Roemer, R., Buchanan, E., Shacham, H., et al: ‘Return-oriented programming: systems, languages, and applications’, ACM Trans. Inf. Syst. Secur., 2012, 15, (1), p. 2.
    11. 11)
      • 11. Shellter project. Available at, accessed 15 April 2018.
    12. 12)
      • 12. Injecting Shellcode into a Portable Executable (PE) using Python. Available at, accessed 15 April 2018.
    13. 13)
      • 13. Metasploit. Available at, accessed 15 April 2018.
    14. 14)
      • 14. Karnik, A., Goswami, S., Guha, R.: ‘Detecting obfuscated viruses using cosine similarity analysis’. First Asia Int. Conf. on Modelling & Simulation (AMS’ 07), Phuket, Thailand, 2007.
    15. 15)
      • 15. VirusTotal. Available at, accessed 15 June 2018.
    16. 16)
      • 16. The Best Antivirus Protection for 2019. Available at
    17. 17)
      • 17. DeMott, J.: ‘Bypassing EMET 4.1’, IEEE Secur. Priv., 2015, 13, (4), pp. 6672.
    18. 18)
      • 18. Ispoglou, K., Payer, M.: ‘malWASH: washing malware to evade dynamic analysis’. WOOT, Austin, TX, USA, 2016.
    19. 19)
      • 19. Abadi, M., Budiu, M., Erlingsson, U., et al: ‘Control-flow integrity’. Proc. of the 12th ACM Conf. on Computer and Communications Security, Alexandria, VA, USA, 2005.
    20. 20)
      • 20. Burow, N., Carr, S., Nash, J., et al: ‘Control-flow integrity: precision, security, and performance’, ACM Comput. Surv., 2017, 50, (1), p. 16.
    21. 21)
      • 21. Applocker. Available at, accessed 15 February 2018.
    22. 22)
      • 22. Das, S., Werner, J., Antonakakis, M., et al: ‘Sok: the challenges, pitfalls, and perils of using hardware performance counters for security’. 2019 IEEE Symp. on Security & Privacy (SP), San Fransisco, CA, US, 2019, pp. 345363.
    23. 23)
      • 23. Das, S., Chen, B., Chandramohan, M., et al: ‘ROPSentry: runtime defense against ROP attacks using hardware performance counters’, Comput. Secur., 2018, 73, pp. 374388.
    24. 24)
      • 24. Wang, X., Backer, J.: ‘SIGDROP: signature-based ROP detection using hardware performance counters’, arXiv preprint arXiv:1609.02667, 2016.
    25. 25)
      • 25. Tang, A., Sethumadhavan, S., Stolfo, S.J.: ‘Unsupervised anomaly-based malware detection using hardware features’. Int. Workshop on Recent Advances in Intrusion Detection, Cham, 2014.
    26. 26)
      • 26. Ming, J., Xu, D., Jiang, Y., et al: ‘Binsim: trace-based semantic binary diffing via system call sliced segment equivalence checking’. Proc. of the 26th USENIX Security Symp., Vancouver, Canada, 2017.
    27. 27)
      • 27. Blazytko, T., Contag, M., Aschermann, C., et al: ‘Syntia: synthesizing the semantics of obfuscated code’. 26th USENIX Security Symp., Vancouver, Canada, 2017.

Related content

This is a required field
Please enter a valid email address