A simple and minimalistic way to spoof return addresses using an exception handler
Pros:
- Very easy to implement
- Very easy to use
- Can easily be used with other exceptions/gadgets
Cons:
- Very slight but noticeable performance decrease when used in loops or frequently called hooks
- Relies on the preservation of the nonvolatile GPRs of the x64 calling convention
- Which in this case means it expects these registers to be preserved, in very rare cases they might not be
- Read MSDN Documentation for Caller/Callee Saved registers