metasploit-framework/modules/encoders/x86/call4_dword_xor.rb

48 lines
1.2 KiB
Ruby

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Encoder::Xor
def initialize
super(
'Name' => 'Call+4 Dword XOR Encoder',
'Description' => 'Call+4 Dword XOR Encoder',
'Author' => [ 'hdm', 'spoonm' ],
'Arch' => ARCH_X86,
'License' => MSF_LICENSE,
'Decoder' =>
{
'KeySize' => 4,
'BlockSize' => 4,
})
end
#
# Returns the decoder stub that is adjusted for the size of
# the buffer being encoded
#
def decoder_stub(state)
decoder =
Rex::Arch::X86.sub(-(((state.buf.length - 1) / 4) + 1), Rex::Arch::X86::ECX,
state.badchars) +
"\xe8\xff\xff\xff" + # call $+4
"\xff\xc0" + # inc eax
"\x5e" + # pop esi
"\x81\x76\x0eXORK" + # xor [esi + 0xe], xork
"\x83\xee\xfc" + # sub esi, -4
"\xe2\xf4" # loop xor
# Calculate the offset to the XOR key
state.decoder_key_offset = decoder.index('XORK')
return decoder
end
end