{"id":15060113,"url":"https://github.com/jlospinoso/gargoyle","last_synced_at":"2025-04-04T14:08:39.062Z","repository":{"id":40477435,"uuid":"83858471","full_name":"JLospinoso/gargoyle","owner":"JLospinoso","description":"A memory scanning evasion technique","archived":false,"fork":false,"pushed_at":"2017-05-24T00:23:54.000Z","size":1003,"stargazers_count":863,"open_issues_count":1,"forks_count":115,"subscribers_count":28,"default_branch":"master","last_synced_at":"2025-04-04T14:08:34.065Z","etag":null,"topics":["assembly","memory-analysis","pic","rop-gadgets","security","x86"],"latest_commit_sha":null,"homepage":"https://jlospinoso.github.io/security/assembly/c/cpp/developing/software/2017/03/04/gargoyle-memory-analysis-evasion.html","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/JLospinoso.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-03-04T02:16:52.000Z","updated_at":"2025-04-03T00:44:32.000Z","dependencies_parsed_at":"2022-07-09T13:30:39.206Z","dependency_job_id":null,"html_url":"https://github.com/JLospinoso/gargoyle","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JLospinoso%2Fgargoyle","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JLospinoso%2Fgargoyle/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JLospinoso%2Fgargoyle/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JLospinoso%2Fgargoyle/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/JLospinoso","download_url":"https://codeload.github.com/JLospinoso/gargoyle/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247190252,"owners_count":20898702,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["assembly","memory-analysis","pic","rop-gadgets","security","x86"],"created_at":"2024-09-24T22:53:09.187Z","updated_at":"2025-04-04T14:08:39.044Z","avatar_url":"https://github.com/JLospinoso.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"![gargoyle title](https://github.com/JLospinoso/gargoyle/raw/master/title.png)\n\n![gargoyle infographic](https://github.com/JLospinoso/gargoyle/raw/master/infographic.png)\n\n# Building gargoyle\n\n*gargoyle* is only implemented for 32-bit Windows (64-bit Windows on Windows is fine). You must have the following installed:\n\n* [Visual Studio](https://www.visualstudio.com/downloads/): 2017 Community is tested, but it may work for other versions.\n* [Netwide Assembler](http://www.nasm.us/pub/nasm/releasebuilds/?C=M;O=D) v2.12.02 x64 is tested, but it may work for other versions. Make sure `nasm.exe` is on your path.\n\nClone *gargoyle*:\n\n```sh\ngit clone https://github.com/JLospinoso/gargoyle.git\n```\n\nOpen `Gargoyle.sln`, build, and run. There is some harness code in `main.cpp` that configures the following three components:\n\n* *gargoyle* stack trampoline, stack, and configuration (read/write memory on the heap)\n* *gargoyle* position independent code (PIC) that receives the ROP gadget/stack trampoline and runs arbitrary code\n* A ROP gadget. If you have `mshtml.dll`, *gargoyle* will load it into memory and use it. If it is not available, you will have to tell *gargoyle* to allocate its own (3-byte) ROP gadget on the heap:\n\n```cpp\n// main.cpp\nauto use_mshtml{ true };\nauto gadget_memory = get_gadget(use_mshtml, gadget_pic_path);\n```\n\nEvery 15 seconds, gargoyle will pop up a message box. When you click ok, gargoyle sets up the tail calls to mark itself non-executable and to wait for the timer. For fun, use [Sysinternals's excellent VMMap tool](https://technet.microsoft.com/en-us/sysinternals/vmmap.aspx) to examine when *gargoyle*'s PIC is executable. If a message box is active, *gargoyle* will be executable. If it is not, *gargoyle* should not be executable. The PIC's address is printed to `stdout` just before the harness calls into the PIC.\n\n# More information\nSee the blog post [available at lospi.net](https://jlospinoso.github.io/security/assembly/c/cpp/developing/software/2017/03/04/gargoyle-memory-analysis-evasion.html) for more information.\n\nAlso feel free to hop on gitter: [![Join the chat at https://gitter.im/grgyl/Lobby](https://badges.gitter.im/grgyl/Lobby.svg)](https://gitter.im/grgyl/Lobby?utm_source=badge\u0026utm_medium=badge\u0026utm_campaign=pr-badge\u0026utm_content=badge)\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjlospinoso%2Fgargoyle","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjlospinoso%2Fgargoyle","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjlospinoso%2Fgargoyle/lists"}