Class RopChain

Class Documentation

class RopChain

Manages an ordered sequence of ROP actions to form a ROP chain.

The RopChain class allows for the construction of complex ROP chains by adding individual ROP actions or raw 64-bit values. It handles KASLR (Kernel Address Space Layout Randomization) offsets and argument substitution for actions defined by a Target.

Public Functions

RopChain(Target &target, uint64_t kaslr_base)

Constructs a new RopChain.

Parameters:

  • target – A reference to the Target object which provides definitions for ROP actions.

  • kaslr_base – The base address for KASLR, used to adjust symbol addresses.

void AddRopAction(RopActionId id, std::vector<uint64_t> arguments = {})

Adds a predefined ROP action to the chain.

This method retrieves the sequence of ROP items for a given action ID from the associated Target and constructs a RopAction, substituting arguments and applying KASLR offsets where necessary.

Parameters:

  • id – The ID of the ROP action to add.

  • arguments – A vector of 64-bit arguments to substitute into the action. The index of an argument in this vector corresponds to its item.value when item.type == RopItemType::ARGUMENT.

Throws:

ExpKitError – If an unexpected RopAction item type is encountered or if there are not enough arguments provided for an action.

void Add(uint64_t item, bool offset = false)

Adds a raw 64-bit item directly to the ROP chain as a single-value action.

This is useful for adding arbitrary values (e.g., stack pivots, return addresses, or immediate values) that are not part of a predefined RopAction.

Parameters:

  • item – The 64-bit value to add.

  • offset – If true, the kaslr_base_ will be added to the item. Defaults to false.

std::vector<uint8_t> GetData() const

Retrieves the entire ROP chain as a vector of bytes.

The 64-bit items in the chain are converted to a contiguous byte array. This is useful for writing the ROP chain directly to memory or a file.

Returns:

A std::vector<uint8_t> representing the ROP chain in byte format.

std::vector<uint64_t> GetDataWords() const

Retrieves the entire ROP chain as a vector of 64-bit words.

This method collects all individual 64-bit values from the sequence of RopActions into a single flat vector.

Returns:

A std::vector<uint64_t> representing the ROP chain as 64-bit words.

uint64_t GetByteSize() const

Calculates the total size of the ROP chain in bytes.

Returns:

The total size of the ROP chain in bytes.

std::vector<RopAction> GetActions() const

Retrieves the list of individual RopAction objects that compose this chain.

Returns:

A std::vector<RopAction> containing all added ROP actions.

Public Members

uint64_t kaslr_base_

The KASLR base address used for symbol offsetting.

std::vector<RopAction> actions_

Stores the ordered sequence of ROP actions.