# File lib/rex/exploitation/seh.rb, line 47 def generate_dynamic_seh_record(handler) # Generate the padding up to the size specified or 121 characters # maximum to account for the maximum range of a short jump plus the # record size. pad = rand(space || 121) rsize = pad + 8 # Calculate the random index into the next ptr to store the short jump # instruction jmpidx = rand(3) # Build the prefixed sled for the bytes that come before the short jump # instruction sled = (nop) ? nop.generate_sled(jmpidx, badchars) : ("\x90" * jmpidx) # Seed the record and any space after the record with random text record = Rex::Text.rand_text(rsize, badchars) # Build the next pointer and short jump instruction record[jmpidx, 2] = Rex::Arch::X86.jmp_short((rsize - jmpidx) - 2) record[0, jmpidx] = sled # Set the handler in the registration record record[4, 4] = [ handler ].pack('V') # Return the generated record to the caller record end