-
Notifications
You must be signed in to change notification settings - Fork 146
/
Copy pathXorPacketHandler.cpp
54 lines (47 loc) · 1.45 KB
/
XorPacketHandler.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
/*
* This file is subject to the terms and conditions defined in
* file 'LICENSE', which is part of this source code package.
*
* COPYRIGHT Bill Demirkapi 2020
*/
#include "XorPacketHandler.h"
/**
Deobfuscates a XOR'd packet and dispatches it.
@param FullPacket - Pointer to the full malicious packet.
@return Whether or not dispatching was successful.
*/
NTSTATUS
XorPacketHandler::ProcessPacket (
_In_ PBASE_PACKET FullPacket
)
{
PXOR_PACKET xorPacket;
ULONG xorContentSize;
ULONG i;
PBASE_PACKET xorBasePacket;
//
// Cast the FullPacket to a XOR packet.
//
xorPacket = RCAST<PXOR_PACKET>(FullPacket);
//
// Obtain the size of the XorContent by subtracting the
// offset of XorContent from the total packet length.
//
xorContentSize = xorPacket->Base.PacketLength - FIELD_OFFSET(XOR_PACKET, XorContent);
DBGPRINT("XorPacketHandler!ProcessPacket: Received XOR packet with content size %i and key 0x%02X.\n", xorContentSize, xorPacket->XorKey);
//
// Enumerate the XorContent and deobfuscate every byte with XOR.
//
for (i = 0; i < xorContentSize; i++)
{
xorPacket->XorContent[i] ^= xorPacket->XorKey;
}
//
// After deobfuscation, the XorContent is simply a BASE_PACKET.
//
xorBasePacket = RCAST<PBASE_PACKET>(&xorPacket->XorContent);
//
// Dispatch the deobfuscated packet.
//
return this->PacketDispatch->Dispatch(xorBasePacket);
}