Path: blob/master/modules/encoders/x86/call4_dword_xor.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Encoder::Xor67def initialize8super(9'Name' => 'Call+4 Dword XOR Encoder',10'Description' => 'Call+4 Dword XOR Encoder',11'Author' => [ 'hdm', 'spoonm' ],12'Arch' => ARCH_X86,13'License' => MSF_LICENSE,14'Decoder' => {15'KeySize' => 4,16'BlockSize' => 417})18end1920#21# Returns the decoder stub that is adjusted for the size of22# the buffer being encoded23#24def decoder_stub(state)25# Sanity check that saved_registers doesn't overlap with modified_registers26if !(modified_registers & saved_registers).empty?27raise BadGenerateError28end2930decoder =31Rex::Arch::X86.sub(-(((state.buf.length - 1) / 4) + 1), Rex::Arch::X86::ECX,32state.badchars) +33"\xe8\xff\xff\xff" + # call $+434"\xff\xc0" + # inc eax35"\x5e" + # pop esi36"\x81\x76\x0eXORK" + # xor [esi + 0xe], xork37"\x83\xee\xfc" + # sub esi, -438"\xe2\xf4" # loop xor3940# Calculate the offset to the XOR key41state.decoder_key_offset = decoder.index('XORK')4243return decoder44end4546# Indicate that this module can preserve some registers47def can_preserve_registers?48true49end5051# A list of registers always touched by this encoder52def modified_registers53[ Rex::Arch::X86::ECX, Rex::Arch::X86::EAX, Rex::Arch::X86::ESI ]54end5556# Convert the SaveRegisters to an array of x86 register constants57def saved_registers58Rex::Arch::X86.register_names_to_ids(datastore['SaveRegisters'])59end60end616263