Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs
From: Pavel Kankovsky (peak@argo.troja.mff.cuni.cz)Date: 01/27/02
- Previous message: Robert Flicker: "Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs"
- In reply to: Robert Flicker: "Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs"
- Next in thread: Gerardo Richarte: "Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs.ApplicationIDSs"
- Reply: Gerardo Richarte: "Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs.ApplicationIDSs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Pavel Kankovsky" <peak@argo.troja.mff.cuni.cz> Date: Sun, 27 Jan 2002 22:21:13 +0100 (MET) To: vuln-dev@securityfocus.com
On Sat, 26 Jan 2002, Robert Flicker wrote:
> His ideas revolve around counting multiple NOP type operations in a row and
> alerting when a threshold is reached. The idea has been kicked around for a
> while, but this is the first one that I have seen in actual implementation.
The time has come to replace nop with another harmless instruction?
Let's say, "inc %eax" on i386 (assuming the shellcode does not need to
know the original value of %eax)? Or "mov $0x40b048b4, %eax"?
(The explanation is left as an exercise to any reader who has got a
disassembler.)
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
- Previous message: Robert Flicker: "Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs"
- In reply to: Robert Flicker: "Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs"
- Next in thread: Gerardo Richarte: "Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs.ApplicationIDSs"
- Reply: Gerardo Richarte: "Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs.ApplicationIDSs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
