1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Encoder::Xor
7

8
  def initialize
9
    super(
10
      'Name' => 'XOR Encoder',
11
      'Description' => 'An x64 XOR encoder. Uses an 8 byte key and takes advantage of x64 relative addressing.',
12
      'Author' => [ 'sf' ],
13
      'Arch' => ARCH_X64,
14
      'License' => MSF_LICENSE,
15
      'Decoder' => {
16
        'KeySize' => 8,
17
        'KeyPack' => 'Q',
18
        'BlockSize' => 8
19
      }
20
      )
21
  end
22

23
  # Indicate that this module can preserve some registers
24
  # ...which is currently not true. This is a temp fix
25
  # until the full preserve_registers functionality is
26
  # implemented.
27
  def can_preserve_registers?
28
    true
29
  end
30

31
  def decoder_stub(state)
32
    # calculate the (negative) block count . We should check this against state.badchars.
33
    block_count = [-(((state.buf.length - 1) / state.decoder_key_size) + 1)].pack('V')
34

35
    decoder = "\x48\x31\xC9" + # xor rcx, rcx
36
              "\x48\x81\xE9" + block_count +   # sub ecx, block_count
37
              "\x48\x8D\x05\xEF\xFF\xFF\xFF" + # lea rax, [rel 0x0]
38
              "\x48\xBBXXXXXXXX" +             # mov rbx, 0x????????????????
39
              "\x48\x31\x58\x27" +             # xor [rax+0x27], rbx
40
              "\x48\x2D\xF8\xFF\xFF\xFF" +     # sub rax, -8
41
              "\xE2\xF4"                       # loop 0x1B
42

43
    state.decoder_key_offset = decoder.index('XXXXXXXX')
44

45
    return decoder
46
  end
47
end
48

49