Class: Rex::MachScan::Scanner::PopPopRetScanner

Inherits:
JmpRegScanner show all
Defined in:
lib/rex/machscan/scanner.rb

Instance Attribute Summary

Attributes inherited from Generic

#fat, #mach, #regex

Instance Method Summary collapse

Methods inherited from JmpRegScanner

#_build_byte_list, #_parse_ret, #_ret_size

Methods inherited from Generic

#initialize, #scan

Constructor Details

This class inherits a constructor from Rex::MachScan::Scanner::Generic

Instance Method Details

#config(param) ⇒ Object 



147
148
149
150
 
# File 'lib/rex/machscan/scanner.rb', line 147

def config(param)
	pops = _build_byte_list(0x58, (0 .. 7).to_a - [4]) # we don't want pop esp's...
	self.regex = Regexp.new("[#{pops}][#{pops}](\xc3|\xc2..)", nil, 'n')
end

#scan_segment(segment, param = {}) ⇒ Object 



152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
 
# File 'lib/rex/machscan/scanner.rb', line 152

def scan_segment(segment, param={})
	base_addr = segment.vmaddr
	segment_offset = segment.fileoff
	offset = segment_offset

	hits = []

	while offset < segment.fileoff + segment.filesize && (offset = mach.index(regex, offset)) != nil

		vaddr = base_addr + (offset - segment_offset)
		message = ''

		pops = mach.read(offset, 2)
		reg1 = Rex::Arch::X86.reg_name32(pops[0,1].unpack("C*")[0] & 0x7)
		reg2 = Rex::Arch::X86.reg_name32(pops[1,1].unpack("C*")[0] & 0x7)

		message = "pop #{reg1}; pop #{reg2}; "

		retsize = _ret_size(offset+2)
		message += _parse_ret(mach.read(offset+2, retsize))

		offset += 2 + retsize

		hits << [ vaddr, message ]
	end

	return hits
end