{"id":19670193,"url":"https://github.com/x86-512/vxpp","last_synced_at":"2025-04-29T00:31:30.972Z","repository":{"id":251833196,"uuid":"838544777","full_name":"x86-512/VXpp","owner":"x86-512","description":"VFGadget locator to facilitate Counterfeit Object-Oriented Programming (COOP) and Loop-Oriented Programming (LOP) attacks to bypass advanced security protections like Intel CET and Control-Flow Guard (CFG) to achieve Remote Code Execution.","archived":false,"fork":false,"pushed_at":"2025-03-16T20:34:28.000Z","size":390,"stargazers_count":12,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-05T12:02:31.102Z","etag":null,"topics":["binary-exploitation","buffer-overflow","cet","cfg","code-reuse","control-flow-guard","control-flow-integrity","coop","exploit","exploit-development","intel-cet","lop","rce","rce-exploit","rop","rop-gadgets","ropgadget","security-bypass","uaf","use-after-free"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/x86-512.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-08-05T21:35:51.000Z","updated_at":"2025-03-16T20:34:31.000Z","dependencies_parsed_at":"2024-08-26T02:05:13.597Z","dependency_job_id":"1c919c69-deeb-40f9-9094-26f60ace338a","html_url":"https://github.com/x86-512/VXpp","commit_stats":null,"previous_names":["x256-64/vpp","und3rth3bu5/vxpp","x86-512/vxpp"],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x86-512%2FVXpp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x86-512%2FVXpp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x86-512%2FVXpp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x86-512%2FVXpp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/x86-512","download_url":"https://codeload.github.com/x86-512/VXpp/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251410323,"owners_count":21584999,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["binary-exploitation","buffer-overflow","cet","cfg","code-reuse","control-flow-guard","control-flow-integrity","coop","exploit","exploit-development","intel-cet","lop","rce","rce-exploit","rop","rop-gadgets","ropgadget","security-bypass","uaf","use-after-free"],"created_at":"2024-11-11T17:05:12.421Z","updated_at":"2025-04-29T00:31:30.960Z","avatar_url":"https://github.com/x86-512.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Virtual Xploiter++ (VX++)\n\n\u003cdiv align=\"center\"\u003e\n  \u003cimg src=\"test_images/chrome_elf.png\" alt=\"Google Chrome VFGadgets\"/\u003e\n\u003c/div\u003e\u003cbr\u003e\nVX++ is a simple script that looks for usable vfgadgets in a Counterfeit-Object Oriented Programming (COOP) or a Loop Oriented Programming (LOP) attack. COOP is an exploitation technique that bypasses advanced security mitigations like Intel CET. COOP involves injecting counterfeit objects into a program with different vtables with pointers to legitimate functions that can be chained to execute arbitrary code. LOP involves overwriting a dispatch table with pointers to LOP gadgets. A looper loops through the overwritten table to execute gadgets. This script is also a free alternative to Uf0's idapython script so you don't have to buy IDA Pro to use Idapython.\n\n# Features\n\nHere is a list of VFGadgets that are supported:\n\n| VFGadget | Support |  Description |\n| --- | --- | --- |\n| ML-G and Variants | Supported | Loops through an object's encapsulatd classes and calls a virtual method of the subclass | \n| ARITH-G | Supported | Does a simple mathematical operation to a field |\n| LOAD-R64-G | Supported | Loads an argument into a register (meant for x64) |\n| Invoker | Supported | Invokes an API function |\n| W-G and variants | Planned | Writes to memory |\n\nThese VFGadgets work for both COOP and LOP.\n\n# Effectiveness Against Exploit Protections\n\n| Protection | Support |  Description |\n| --- | --- | --- |\n| Intel CET | Bypassed | This feature uses shadow stacks to detect IP overwrites and checks branches to validate a call target. |\n| Windows CFG | Bypassed | This feature validates the destination of a call target. |\n| VTGuard | Bypassed | To bypass, simply use LOP. |\n| Windows XFG | Partial | This Feature validates the parameters and return type destination of a call target via hashes. This script marks hashes of hashed functions. |\n\n# How to run:\n- Install ghidra\n- Install requirements: ```pip install -r requirements.txt```\n- Set your GHIDRA_INSTALL_DIR environment variable to your Ghidra installation location\n- Run the script\n  \nThis script is designed for Python 3.10 or later\n\nSyntax:\n```python3 vxpp.py \u003cyour_binary_path_here\u003e \u003cmax_vfgadget_length\u003e \u003carguments\u003e```\n\n# Examples:\nMicrosoft Photos (PhotoViewer.dll): 9 potential MainLoop-Gadgets found\n![Photo Viewer Results](test_images/photoviewer_test_1.png)\n\nGoogle Chrome (chrome_elf.dll): 2 Invoker Gadgets found\n![Google Chrome Results](test_images/chrome_elf.png)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fx86-512%2Fvxpp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fx86-512%2Fvxpp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fx86-512%2Fvxpp/lists"}