Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/encoders/x64/xor.rb
19670 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Encoder::Xor
7
8
def initialize
9
super(
10
'Name' => 'XOR Encoder',
11
'Description' => 'An x64 XOR encoder. Uses an 8 byte key and takes advantage of x64 relative addressing.',
12
'Author' => [ 'sf' ],
13
'Arch' => ARCH_X64,
14
'License' => MSF_LICENSE,
15
'Decoder' => {
16
'KeySize' => 8,
17
'KeyPack' => 'Q',
18
'BlockSize' => 8
19
}
20
)
21
end
22
23
# Indicate that this module can preserve some registers
24
# ...which is currently not true. This is a temp fix
25
# until the full preserve_registers functionality is
26
# implemented.
27
def can_preserve_registers?
28
true
29
end
30
31
def decoder_stub(state)
32
# calculate the (negative) block count . We should check this against state.badchars.
33
block_count = [-(((state.buf.length - 1) / state.decoder_key_size) + 1)].pack('V')
34
35
decoder = "\x48\x31\xC9" + # xor rcx, rcx
36
"\x48\x81\xE9" + block_count + # sub ecx, block_count
37
"\x48\x8D\x05\xEF\xFF\xFF\xFF" + # lea rax, [rel 0x0]
38
"\x48\xBBXXXXXXXX" + # mov rbx, 0x????????????????
39
"\x48\x31\x58\x27" + # xor [rax+0x27], rbx
40
"\x48\x2D\xF8\xFF\xFF\xFF" + # sub rax, -8
41
"\xE2\xF4" # loop 0x1B
42
43
state.decoder_key_offset = decoder.index('XXXXXXXX')
44
45
return decoder
46
end
47
end
48
49