I’ve had to search for instruction using WinDbg when doing a stack pivot. The following example will search for jump edx (ff e2):
s 0 L?7EEEEEEE ff e2
Once you find a list of instructions that can be used for your pivot, verify you have the correct command by disassembling at that address:
0:000> u 7706da75
7706da75 ffe2 jmp edx
7706da77 48 dec eax
7706da78 8b05ca160300 mov eax,dword ptr ds:[316CAh]
7706da7e 48 dec eax
7706da7f 85c0 test eax,eax
7706da81 7419 je 7706da9c
7706da83 807c246000 cmp byte ptr [esp+60h],0
7706da88 7412 je 7706da9c
Once you have found an address to use for your stack pivot double check the memory protections at that address using !vprot:
0:000> !vprot 7706da75
BaseAddress: 7706d000
AllocationBase: 77050000
AllocationProtect: 00000080 PAGE_EXECUTE_WRITECOPY
RegionSize: 00018000
State: 00001000 MEM_COMMIT
Protect: 00000020 PAGE_EXECUTE_READ
Type: 01000000 MEM_IMAGE