The gadget:
pushad
ret
from a certain DLL makes no sense to me in a legit program.
Assuming the DLL is legit, how is it possible for the gadget to be found by automatic search? An example of a function uses it may be helpful.
The instruction encoding is:
60 pushad
c3 ret
So wherever these two bytes occur, a pushad; ret gadget obtains. For example, this instruction could reasonably exist in SSE code:
66 0f 60 c3 punpcklbw xmm0, xmm3
See the 60 c3 gadget in it? Alternatively, the gadget could obtain from some immediate. For example, suppose there is some variable at 0x4800c360 and we try to load its address:
b8 60 c3 00 48 mov eax, 0x4800c360
See the gadget again?
There are tons of other ways this gadget could appear in perfectly normal code.