forked from hasherezade/pe-sieve
-
Notifications
You must be signed in to change notification settings - Fork 0
/
code_patterns.h
80 lines (71 loc) · 2.07 KB
/
code_patterns.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
#pragma once
#include <windows.h>
namespace pesieve {
typedef struct _t_pattern {
BYTE* ptr;
size_t size;
} t_pattern;
BYTE prolog32_pattern[] = {
0x55, // PUSH EBP
0x8b, 0xEC // MOV EBP, ESP
};
BYTE prolog32_2_pattern[] = {
0x55, // PUSH EBP
0x89, 0xE5 // MOV EBP, ESP
};
BYTE prolog32_3_pattern[] = {
0x60, // PUSHAD
0x89, 0xE5 // MOV EBP, ESP
};
t_pattern patterns32[] = {
{ prolog32_pattern, sizeof(prolog32_pattern) },
{ prolog32_2_pattern, sizeof(prolog32_2_pattern) },
{ prolog32_3_pattern, sizeof(prolog32_3_pattern) }
};
BYTE prolog64_pattern[] = {
0x40, 0x53, // PUSH RBX
0x48, 0x83, 0xEC // SUB RSP, <BYTE>
};
BYTE prolog64_2_pattern[] = {
0x55, // PUSH RBP
0x48, 0x8B, 0xEC // MOV RBP, RSP
};
BYTE prolog64_3_pattern[] = {
0x40, 0x55, // PUSH RBP
0x48, 0x83, 0xEC // SUB RSP, <BYTE>
};
BYTE prolog64_4_pattern[] = {
0x53, // PUSH RBX
0x48, 0x81, 0xEC // SUB RSP, <DWORD>
};
BYTE prolog64_5_pattern[] = {
0x48, 0x83, 0xE4, 0xF0 // AND rsp, FFFFFFFFFFFFFFF0; Align RSP to 16 bytes
};
BYTE prolog64_6_pattern[] = {
0x57, // PUSH RDI
0x48, 0x89, 0xE7 // MOV RDI, RSP
};
BYTE prolog64_7_pattern[] = {
0x48, 0x8B, 0xC4, // MOV RAX, RSP
0x48, 0x89, 0x58, 0x08, // MOV QWORD PTR [RAX + 8], RBX
0x4C, 0x89, 0x48, 0x20, // MOV QWORD PTR [RAX + 0X20], R9
0x4C, 0x89, 0x40, 0x18, // MOV QWORD PTR [RAX + 0X18], R8
0x48, 0x89, 0x50, 0x10, // MOV QWORD PTR [RAX + 0X10], RDX
0x55, // PUSH RBP
0x56, // PUSH RSI
0x57, // PUSH RDI
0x41, 0x54, // PUSH R12
0x41, 0x55, // PUSH R13
0x41, 0x56, // PUSH R14
0x41, 0x57 // PUSH R15
};
t_pattern patterns64[] = {
{ prolog64_pattern, sizeof(prolog64_pattern) },
{ prolog64_2_pattern, sizeof(prolog64_2_pattern) },
{ prolog64_3_pattern, sizeof(prolog64_3_pattern) },
{ prolog64_4_pattern, sizeof(prolog64_4_pattern) },
{ prolog64_5_pattern, sizeof(prolog64_5_pattern) },
{ prolog64_6_pattern, sizeof(prolog64_6_pattern) },
{ prolog64_7_pattern, sizeof(prolog64_7_pattern) }
};
}; // namespace pesieve