Snort mailing list archives
Pattern Matching in encoded Shellcode
From: "felix.matenaar@rwth-aachen" <felix.matenaar () rwth-aachen de>
Date: Sat, 24 Apr 2010 00:36:00 +0200
Hello everyone, this is my first post on this mailing list and i m far away from knowing much about snort. I just would like to present an idea and would be happy about some feedback. As you all know a lot of exploits use encoding for intrusion detection evasion. Two of often used schemes are ROT and XOR. The question was if there is an efficient way to do pattern matching in encoded shellcode parts. Imagine a tuple of XOR encoded bytes A which is our encoded shellcode. Let B be a tuple of bytes which is our signature in plain. When you want to do pattern matching in A you can do the following: Create a tuple A' which has a length of A-1 by doing A'[i] := A[i] XOR A[i+1]. Because A[i] is the plain byte xor the key as A[i+1] is, the key XORs to 0 and what we get is the XOR of both plain bytes. When we do the same for B and generate B'. B' will be a substring of A' when the signature B was in the plaintext of A before. I couldnt find anything about that yet. Is that something which could be interesting to implement or is that old stuff? Thanks for your feedback, Felix ------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Pattern Matching in encoded Shellcode felix.matenaar@rwth-aachen (Apr 23)
- Message not available
- Re: Pattern Matching in encoded Shellcode felix.matenaar@rwth-aachen (Apr 23)
- Message not available
- Re: Pattern Matching in encoded Shellcode felix.matenaar@rwth-aachen (Apr 24)
- Re: Pattern Matching in encoded Shellcode Matt Olney (Apr 24)
- Re: Pattern Matching in encoded Shellcode felix.matenaar@rwth-aachen (Apr 23)
- Message not available