Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Pattern Matching in encoded Shellcode

From: "felix.matenaar@rwth-aachen" <felix.matenaar () rwth-aachen de>
Date: Sat, 24 Apr 2010 00:36:00 +0200
Hello everyone,

this is my first post on this mailing list and i m far away from knowing
much about snort. I just would like to present an idea and would be
happy about some feedback. As you all know a lot of exploits use
encoding for intrusion detection evasion. Two of often used schemes are
ROT and XOR. The question was if there is an efficient way to do pattern
matching in encoded shellcode parts. Imagine a tuple of XOR encoded
bytes A which is our encoded shellcode. Let B be a tuple of bytes which
is our signature in plain. When you want to do pattern matching in A you
can do the following:

Create a tuple A' which has a length of A-1 by doing A'[i] := A[i] XOR
A[i+1]. Because A[i] is the plain byte xor the key as A[i+1] is, the key
XORs to 0 and what we get is the XOR of both plain bytes. When we do the
same for B and generate B'.
B' will be a substring of A' when the signature B was in the plaintext
of A before.

I couldnt find anything about that yet. Is that something which could be
interesting to implement or is that old stuff?

Thanks for your feedback,
    Felix

------------------------------------------------------------------------------
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
Previous By Date Next
Previous By Thread Next

Current thread: