Evaluation of the Executional Power in Windows using Return Oriented Programming

This dataset contains the dynamic shared libraries of Windows 7 and Windows 10, in both 32-bit and 64-bit architectures, used for the experimentation in the paper published at WOOT'21 (Evaluation of the Executional Power in Windows using Return Oriented Programming). The camera ready of the paper can be found in here.

For using this, you will need the tool rop3. Please check further details below.

Detailed Description

This dataset corresponds to a subset of 24 DLLs of the following Windows versions:

• 32-bits:
  • Windows 7 Professional 6.1.7601 Service Pack 1 Build 7601
  • Windows 10 Education 10.0.14393 Build 14393
• 64-bits:
  • Windows 7 Professional 6.1.7601 Service Pack Build 7601
  • Windows 10 Pro 1703 Build 15063.726

As the number of DLLs shipped with Windows OS is in terms of hundreds, being also different across the flavors of Windows OS, we have considered only the subset of the system DLLs contained in KnownDlls that are common across all the versions of Windows considered for the experimentation. Additionally, we also considered other DLLs such as msvcrt.dll, psapi.dll, ws2_32.dll, and ntdll.dll although they were not included into the KnownDlls object in all Windows OSes.

We then use the rop3 tool to evaluate the executional power of an adversary using Return-Oriented-Programming (ROP) attacks in Windows 7 and Windows 10, in both 32- and 64-bit versions.

Reproducibility

Along with all DLLs, we provide a run-experiments.py script to reproduce the experiments carried on the paper Evaluation of the Executional Power in Windows using Return Oriented Programming, to appear in the 15th Workshop On Offensive Technologies (WOOT '21). Note that paper's experiments were carried out with the rop3's version v0.9.0.

Once you installed the rop3's dependencies (see project's README), you must provide both the rop3 project folder (as retrieved from the official repository) and this DLLs dataset as arguments to the following command:

$ python3 run-experiments.py /path/to/rop3/ /path/to/dlls/
[*] Analyzing win7sp1x86…
	[*] win7sp1x86: rpcrt4.dll (655360): add: 413
	[*] win7sp1x86: rpcrt4.dll (655360): sub: 47
	[*] win7sp1x86: rpcrt4.dll (655360): neg: 1600
	[*] win7sp1x86: rpcrt4.dll (655360): neg: 12789 (with intermediate mov)
	[*] win7sp1x86: rpcrt4.dll (655360): mov: 762
	[*] win7sp1x86: rpcrt4.dll (655360): lc: 691
	[*] win7sp1x86: rpcrt4.dll (655360): ld: 237
	[*] win7sp1x86: rpcrt4.dll (655360): st: 435
	[*] win7sp1x86: rpcrt4.dll (655360): xor: 228
	[*] win7sp1x86: rpcrt4.dll (655360): and: 118
[..redacted...]

The output is divided by a colon:

1. Windows OS version.
2. DLL analyzed with DLL size (in bytes).
3. ROPLang operation.
4. Number of gadgets found for the operation.

Licence

All the scripts provided by this dataset are licensed under Creative Commons Attribution 4.0 International. The rop3 tool is licensed separately under GNU GPLv3, you can visit the main GitHub repository for further details.