[Full-Disclosure] RE: On Polymorphic Evasion (an alphanumeric version)

From: m conover (mconover_001_at_hotmail.com)
Date: 10/05/04

  • Next message: devis: "Re:[Full-Disclosure] Re: Spyware installs with no interaction in IE on fully patched XP SP2 box"
    To: full-disclosure@lists.netsys.com, bugtraq@securityfocus.com, focus-ids@securityfocus.com
    Date: Tue, 05 Oct 2004 01:39:15 +0000
    
    

    Cool. I will also add to the discussion with an alphanumeric version written
    with two others for experimentation, though it is limited in it doesn't vary
    the length of the decoder stubs or encoded shellcode. spoonm is doing a
    separate version--I think based on Berend's alpha--that will. Also, I did
    not test it against any of the different shellcode detectors like Fnord, so
    I would be curious to know if anyone tries. IMO "as to whether the detection
    of polymorphic shellcode was indeed an appropriate component of an IDS", I
    think there is enough prior art on it that it's not really a big deal to
    publish or discuss code implementing it. It most likely better to have a
    variety of generators to test the effectiveness of a shellcode detector. I
    added a small blurb on addtional options for OS-independence with
    alphanumeric shellcode for IA-32e/AMD-64 since it adds the new RIP-relative
    addressing. See attachment.

    >"Phantasmal Phantasmagoria" <phantasmal@hush.ai>
    >10/01/2004 05:28 PM
    >Please respond to
    >phantasmal@hush.ai
    >
    >
    >To
    >full-disclosure@lists.netsys.com, bugtraq@securityfocus.com,
    >focus-ids@securityfocus.com
    >cc
    >
    >Subject
    >On Polymorphic Evasion
    >
    >
    >
    >
    >
    >
    >-----BEGIN PGP SIGNED MESSAGE-----
    >Hash: SHA1
    >
    >- ------------------------------------
    >
    >On Polymorphic Evasion
    >by Phantasmal Phantasmagoria
    >phantasmal@hush.ai

    _________________________________________________________________
    On the road to retirement? Check out MSN Life Events for advice on how to
    get there! http://lifeevents.msn.com/category.aspx?cid=Retirement

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: devis: "Re:[Full-Disclosure] Re: Spyware installs with no interaction in IE on fully patched XP SP2 box"