Abstract: ROP is a new programming method, this method can leverage existing code of system to construct malicious code, rootkit constructed by ROP can evade the detection of most kernel integrity protection mechanisms present. Because the instruction gadgets ending by jmp have a certain regularity, so, present there are many protection methods that can detect it. Compared with ROP, the construction method of rootkit based on JOP has no certain regularity, so, the methods of ROP detection present can't detect it. Moreover, compared with ROP, this new method will not be restricted by size of kernel stack and the memory layout of data will be more flexible in the process of construction.

Key words: ROP, JOP, Instruction gadget