Using a ROP chain to bypass operating system defenses is commonplace and detecting this technique while executing is still difficult. This talk will discuss a method built on Intel’s dynamic binary instrumentation tool, Pin, to dynamically detect ROP attacks against the Microsoft Windows operating system. The method is designed to detect ROP attacks that use the return instruction and the indirect call instruction. We will discuss how we determine if a return or indirect call is jumping to a valid location. Then we will show examples of the method working, discuss its effectiveness, and its limitations. After the talk, the source code for the pintool will be released.