Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/encoders/x86/call4_dword_xor.rb
Views: 11779
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Encoder::Xor67def initialize8super(9'Name' => 'Call+4 Dword XOR Encoder',10'Description' => 'Call+4 Dword XOR Encoder',11'Author' => [ 'hdm', 'spoonm' ],12'Arch' => ARCH_X86,13'License' => MSF_LICENSE,14'Decoder' =>15{16'KeySize' => 4,17'BlockSize' => 4,18})19end2021#22# Returns the decoder stub that is adjusted for the size of23# the buffer being encoded24#25def decoder_stub(state)2627# Sanity check that saved_registers doesn't overlap with modified_registers28if (modified_registers & saved_registers).length > 029raise BadGenerateError30end3132decoder =33Rex::Arch::X86.sub(-(((state.buf.length - 1) / 4) + 1), Rex::Arch::X86::ECX,34state.badchars) +35"\xe8\xff\xff\xff" + # call $+436"\xff\xc0" + # inc eax37"\x5e" + # pop esi38"\x81\x76\x0eXORK" + # xor [esi + 0xe], xork39"\x83\xee\xfc" + # sub esi, -440"\xe2\xf4" # loop xor4142# Calculate the offset to the XOR key43state.decoder_key_offset = decoder.index('XORK')4445return decoder46end4748# Indicate that this module can preserve some registers49def can_preserve_registers?50true51end5253# A list of registers always touched by this encoder54def modified_registers55[ Rex::Arch::X86::ECX, Rex::Arch::X86::EAX, Rex::Arch::X86::ESI ]56end5758# Convert the SaveRegisters to an array of x86 register constants59def saved_registers60Rex::Arch::X86.register_names_to_ids(datastore['SaveRegisters'])61end62end636465