added xor,ret patch technique to inlinehooks

SolitudePy · SolitudePy · commit ad85d2eee26e · 2025-06-07T13:39:05.000+03:00
diff --git a/volatility3/framework/plugins/windows/inlinehooks.py b/volatility3/framework/plugins/windows/inlinehooks.py
@@ -85,6 +85,7 @@ def check_inline_hook(
         # This is important to avoid false positives on stub functions
         MIN_FUNC_SIZE_FOR_JMP = 2
         MIN_FUNC_SIZE_FOR_RET = 2
+        MIN_FUNC_SIZE_FOR_XOR_RET = 3
         MIN_FUNC_SIZE_FOR_CALL = 2
 
         if len(data) < 1:
@@ -139,6 +140,13 @@ def check_inline_hook(
                         and disasm[0].mnemonic == "jmp"
                         and disasm[1].id == capstone.x86.X86_INS_RET
                     )
+                    or (
+                        func_insn_count >= MIN_FUNC_SIZE_FOR_XOR_RET
+                        and disasm[0].mnemonic == "xor"
+                        and disasm[0].operands[0].type == capstone.x86.X86_OP_REG
+                        and disasm[0].operands[1].type == capstone.x86.X86_OP_REG
+                        and disasm[1].id == capstone.x86.X86_INS_RET
+                    )
                 ):
                     return (data, "Early RET")
 
