RE: On Polymorphic Evasion (an alphanumeric version)

["m conover" <mconover_001 () hotmail com>]

Cool. I will also add to the discussion with an alphanumeric version written 
with two others for experimentation, though it is limited in it doesn't vary 
the length of the decoder stubs or encoded shellcode. spoonm is doing a 
separate version--I think based on Berend's alpha--that will. Also, I did 
not test it against any of the different shellcode detectors like Fnord, so 
I would be curious to know if anyone tries. IMO "as to whether the detection 
of polymorphic shellcode was indeed an appropriate component of an IDS", I 
think there is enough prior art on it that it's not really a big deal to 
publish or discuss code implementing it. It most likely better to have a 
variety of generators to test the effectiveness of a shellcode detector. I 
added a small blurb on addtional options for OS-independence with 
alphanumeric shellcode for IA-32e/AMD-64 since it adds the new RIP-relative 
addressing. See attachment.

> "Phantasmal Phantasmagoria" <phantasmal () hush ai>
> 10/01/2004 05:28 PM
> Please respond to
> phantasmal () hush ai
>
>
> To
> full-disclosure () lists netsys com, bugtraq () securityfocus com,
> focus-ids () securityfocus com
> cc
>
> Subject
> On Polymorphic Evasion
>
>
>
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> - ------------------------------------
>
> On Polymorphic Evasion
> by Phantasmal Phantasmagoria
> phantasmal () hush ai

_________________________________________________________________
On the road to retirement? Check out MSN Life Events for advice on how to 
get there! http://lifeevents.msn.com/category.aspx?cid=Retirement

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html