Full Disclosure mailing list archives
RE: On Polymorphic Evasion (an alphanumeric version)
From: "m conover" <mconover_001 () hotmail com>
Date: Tue, 05 Oct 2004 01:39:15 +0000
Cool. I will also add to the discussion with an alphanumeric version written with two others for experimentation, though it is limited in it doesn't vary the length of the decoder stubs or encoded shellcode. spoonm is doing a separate version--I think based on Berend's alpha--that will. Also, I did not test it against any of the different shellcode detectors like Fnord, so I would be curious to know if anyone tries. IMO "as to whether the detection of polymorphic shellcode was indeed an appropriate component of an IDS", I think there is enough prior art on it that it's not really a big deal to publish or discuss code implementing it. It most likely better to have a variety of generators to test the effectiveness of a shellcode detector. I added a small blurb on addtional options for OS-independence with alphanumeric shellcode for IA-32e/AMD-64 since it adds the new RIP-relative addressing. See attachment.
"Phantasmal Phantasmagoria" <phantasmal () hush ai> 10/01/2004 05:28 PM Please respond to phantasmal () hush ai To full-disclosure () lists netsys com, bugtraq () securityfocus com, focus-ids () securityfocus com cc Subject On Polymorphic Evasion -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------ On Polymorphic Evasion by Phantasmal Phantasmagoria phantasmal () hush ai
_________________________________________________________________On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: On Polymorphic Evasion (an alphanumeric version) m conover (Oct 04)