A set of tools based on radare2 for analysis of ROP gadgets and payloads.
Python 2.7
radare2 + r2pipe python bindings
Implicit gadgets are for example function epilogues + their vicinity and are formed only by instructions also present in a healthy running program. Explicit gadgets are formed by transfering control amidst another instructions in such a way to form a valid gadgets.
gadget-stats [--gadget-file file] file - Analyzes the provided binary and searches its executable sections for ROP gadgets, then computes statistics about the gadgets and the ratio of implicit/explicit ones. If the optional argument --gadget-file is supplied then that file is used as source of gadgets, the expected format is that of ROPgadget's output.
First example counts the statistics of the libc.
c0da206026cffea80b6effe2be03a68e573eb1b090a72dfdeaa4f6a958a929e9 /lib64/libc-2.18.so
./gadget-stats /lib64/libc-2.18.so 2>/dev/null
[-] Opening file: "/lib64/libc-2.18.so"
✓ Analyzing ...
➙ ----------------------------------------------------------------------
➙ Entrypoint: 0x3c1e621e70
➙ Gadgets: 21749
➙ ----------------------------------------------------------------------
➙ Implicit: 11608
➙ Explicit: 3903
➙ Total: 15511
» Ratio: 2.97:1In second example the binary is first sifted through with ROPgadget piping the output to the file libc-gadgets. Using the --gadget-file switch we then inspect the gadgets in the file.
python ROPgadget.py --binary /lib64/libc-2.18.so > libc-gadgets
./gadget-stats --gadget-file libc-gadgets /lib64/libc-2.18.so 2>/dev/null