pe-sieve/code__patterns_8h_source.html

#pragma once

#include <windows.h>


namespace pesieve {


    typedef struct _t_pattern {

        BYTE* ptr;

        size_t size;

    } t_pattern;


    BYTE prolog32_pattern[] = {

        0x55, // PUSH EBP

        0x8b, 0xEC // MOV EBP, ESP

    };


    BYTE prolog32_2_pattern[] = {

        0x55, // PUSH EBP

        0x89, 0xE5 // MOV EBP, ESP

    };


    BYTE prolog32_3_pattern[] = {

        0x60, // PUSHAD

        0x89, 0xE5 // MOV EBP, ESP

    };


    t_pattern patterns32[] = {

        { prolog32_pattern,   sizeof(prolog32_pattern) },

        { prolog32_2_pattern, sizeof(prolog32_2_pattern) },

        { prolog32_3_pattern, sizeof(prolog32_3_pattern) }

    };


    BYTE prolog64_pattern[] = {

        0x40, 0x53,       // PUSH RBX

        0x48, 0x83, 0xEC // SUB RSP, <BYTE>

    };


    BYTE prolog64_2_pattern[] = {

        0x55,            // PUSH RBP

        0x48, 0x8B, 0xEC // MOV RBP, RSP

    };


    BYTE prolog64_3_pattern[] = {

        0x40, 0x55,      // PUSH RBP

        0x48, 0x83, 0xEC // SUB RSP, <BYTE>

    };


    BYTE prolog64_4_pattern[] = {

        0x53,            // PUSH RBX

        0x48, 0x81, 0xEC // SUB RSP, <DWORD>

    };


    BYTE prolog64_5_pattern[] = {

        0x48, 0x83, 0xE4, 0xF0 // AND rsp, FFFFFFFFFFFFFFF0; Align RSP to 16 bytes

    };


    BYTE prolog64_6_pattern[] = {

        0x57,            // PUSH RDI

        0x48, 0x89, 0xE7 // MOV RDI, RSP

    };


    BYTE prolog64_7_pattern[] = {

         0x48, 0x8B, 0xC4, // MOV RAX, RSP

         0x48, 0x89, 0x58, 0x08, // MOV QWORD PTR [RAX + 8], RBX

         0x4C, 0x89, 0x48, 0x20, // MOV QWORD PTR [RAX + 0X20], R9

         0x4C, 0x89, 0x40, 0x18, // MOV QWORD PTR [RAX + 0X18], R8

         0x48, 0x89, 0x50, 0x10, // MOV QWORD PTR [RAX + 0X10], RDX

         0x55, // PUSH RBP

         0x56, // PUSH RSI

         0x57, // PUSH RDI

         0x41, 0x54, // PUSH R12

         0x41, 0x55, // PUSH R13

         0x41, 0x56, // PUSH R14

         0x41, 0x57 // PUSH R15

    };


    t_pattern patterns64[] = {

        { prolog64_pattern,   sizeof(prolog64_pattern) },

        { prolog64_2_pattern, sizeof(prolog64_2_pattern) },

        { prolog64_3_pattern, sizeof(prolog64_3_pattern) },

        { prolog64_4_pattern, sizeof(prolog64_4_pattern) },

        { prolog64_5_pattern, sizeof(prolog64_5_pattern) },

        { prolog64_6_pattern, sizeof(prolog64_6_pattern) },

        { prolog64_7_pattern, sizeof(prolog64_7_pattern) }

    };


}; // namespace pesieve

pesieve
Definition pesieve.py:1

pesieve::prolog64_3_pattern
BYTE prolog64_3_pattern[]
Definition code_patterns.h:40

pesieve::prolog32_pattern
BYTE prolog32_pattern[]
Definition code_patterns.h:11

pesieve::prolog64_5_pattern
BYTE prolog64_5_pattern[]
Definition code_patterns.h:48

pesieve::t_pattern
struct pesieve::_t_pattern t_pattern

pesieve::prolog32_3_pattern
BYTE prolog32_3_pattern[]
Definition code_patterns.h:21

pesieve::patterns32
t_pattern patterns32[]
Definition code_patterns.h:26

pesieve::prolog64_6_pattern
BYTE prolog64_6_pattern[]
Definition code_patterns.h:51

pesieve::prolog64_4_pattern
BYTE prolog64_4_pattern[]
Definition code_patterns.h:44

pesieve::prolog64_pattern
BYTE prolog64_pattern[]
Definition code_patterns.h:32

pesieve::prolog64_2_pattern
BYTE prolog64_2_pattern[]
Definition code_patterns.h:36

pesieve::patterns64
t_pattern patterns64[]
Definition code_patterns.h:70

pesieve::prolog32_2_pattern
BYTE prolog32_2_pattern[]
Definition code_patterns.h:16

pesieve::prolog64_7_pattern
BYTE prolog64_7_pattern[]
Definition code_patterns.h:55

pesieve::_t_pattern
Definition code_patterns.h:6

pesieve::_t_pattern::size
size_t size
Definition code_patterns.h:8

pesieve::_t_pattern::ptr
BYTE * ptr
Definition code_patterns.h:7