Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs.ApplicationIDSs

From: Gerardo Richarte (core.lists.exploit-dev@core-sdi.com)
Date: 01/28/02 

Date: Mon, 28 Jan 2002 17:09:29 -0300
From: Gerardo Richarte <core.lists.exploit-dev@core-sdi.com>
To: <vuln-dev@securityfocus.com>

Pavel Kankovsky wrote:

> The time has come to replace nop with another harmless instruction?

    On the same lines we've been talking about this with some friends and coworkers,
i'll just add another $0.02 in the name of all this ppl :)

    is nop a nop?, sure man!
    is inc %eax a nop?, erm... well... yes
    is mov $1,%al a nop?, yessss...
    is mov %esp, %ebp a nop? well.. yes..

    what is a nop?

    as futo said...

    is a quicksort routing a nop?
    is Windows NT mostly a nop?

    as futo and cmg said:

    determining what a nop is is harder than the halting problem, or at least, equivalent

    I think we have to go back to antivirus, we need to take a look at what antiviral companies
learned, and use that knowledge.

    I don't like some of the methods very much, for example some of them create a virtual
machine and execute the suspected program in a sand box (http://www.softland.com.ar/Info/NAV/NAV4net.htm and http://enterprisesecurity.symantec.com/article.cfm?articleid=11&EID=1 for example).
    I wouldn't recomend that, but anybody can use it :)

    And as for the alignment problem, on a lot of exploits you know if you are returning to an address
aligned to 4 or not...

    well.. as i said, just some more $0.02

    gera

PS:
   .byte 0xb0
a:
   .byte 0xb8
   call a
   .byte 0xc0
   pop %eax:

--- for a personal reply use: Gerardo Richarte <gera@corest.com>