Class: Rex::MachScan::Scanner::PopPopRetScanner
- Inherits:
-
JmpRegScanner
- Object
- Generic
- JmpRegScanner
- Rex::MachScan::Scanner::PopPopRetScanner
- Defined in:
- lib/rex/machscan/scanner.rb
Instance Attribute Summary
Attributes inherited from Generic
Instance Method Summary collapse
Methods inherited from JmpRegScanner
#_build_byte_list, #_parse_ret, #_ret_size
Methods inherited from Generic
Constructor Details
This class inherits a constructor from Rex::MachScan::Scanner::Generic
Instance Method Details
#config(param) ⇒ Object
146 147 148 149 |
# File 'lib/rex/machscan/scanner.rb', line 146 def config(param) pops = _build_byte_list(0x58, (0 .. 7).to_a - [4]) # we don't want pop esp's... self.regex = Regexp.new("[#{pops}][#{pops}](\xc3|\xc2..)", nil, 'n') end |
#scan_segment(segment, param = {}) ⇒ Object
151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 |
# File 'lib/rex/machscan/scanner.rb', line 151 def scan_segment(segment, param={}) base_addr = segment.vmaddr segment_offset = segment.fileoff offset = segment_offset hits = [] while offset < segment.fileoff + segment.filesize && (offset = mach.index(regex, offset)) != nil vaddr = base_addr + (offset - segment_offset) = '' pops = mach.read(offset, 2) reg1 = Rex::Arch::X86.reg_name32(pops[0,1].unpack("C*")[0] & 0x7) reg2 = Rex::Arch::X86.reg_name32(pops[1,1].unpack("C*")[0] & 0x7) = "pop #{reg1}; pop #{reg2}; " retsize = _ret_size(offset+2) += _parse_ret(mach.read(offset+2, retsize)) offset += 2 + retsize hits << [ vaddr, ] end return hits end |