Class: Rex::ElfScan::Scanner::PopPopRetScanner

Inherits:
JmpRegScanner show all
Defined in:
lib/rex/elfscan/scanner.rb

Instance Attribute Summary

Attributes inherited from Generic

#elf, #regex

Instance Method Summary collapse

Methods inherited from JmpRegScanner

#_build_byte_list, #_parse_ret, #_ret_size

Methods inherited from Generic

#initialize, #scan

Constructor Details

This class inherits a constructor from Rex::ElfScan::Scanner::Generic

Instance Method Details

#config(param) ⇒ Object 



157
158
159
160
 
# File 'lib/rex/elfscan/scanner.rb', line 157

def config(param)
  pops = _build_byte_list(0x58, (0 .. 7).to_a - [4]) # we don't want pop esp's...
  self.regex = Regexp.new("[#{pops}][#{pops}](\xc3|\xc2..)", nil, 'n')
end

#scan_segment(program_header, param = {}) ⇒ Object 



162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
 
# File 'lib/rex/elfscan/scanner.rb', line 162

def scan_segment(program_header, param={})
  offset = program_header.p_offset

  hits = []

  while offset < program_header.p_offset + program_header.p_filesz &&
  (offset = elf.index(regex, offset)) != nil

    rva     = elf.offset_to_rva(offset)
    message = ''

    pops = elf.read(offset, 2)
    reg1 = Rex::Arch::X86.reg_name32(pops[0,1].unpack('C*')[0] & 0x7)
    reg2 = Rex::Arch::X86.reg_name32(pops[1,1].unpack('C*')[0] & 0x7)

    message = "pop #{reg1}; pop #{reg2}; "

    retsize = _ret_size(offset+2)
    message += _parse_ret(elf.read(offset+2, retsize))

    offset += 2 + retsize

    hits << [ rva, message ]
  end

  return hits
end