Vulnerability Development mailing list archives

Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs

From: "Pavel Kankovsky" <peak () argo troja mff cuni cz>
Date: Sun, 27 Jan 2002 22:21:13 +0100 (MET)

On Sat, 26 Jan 2002, Robert Flicker wrote:

His ideas revolve around counting multiple NOP type operations in a row and 
alerting when a threshold is reached. The idea has been kicked around for a 
while, but this is the first one that I have seen in actual implementation.


The time has come to replace nop with another harmless instruction?
Let's say, "inc %eax" on i386 (assuming the shellcode does not need to
know the original value of %eax)? Or "mov $0x40b048b4, %eax"?
(The explanation is left as an exercise to any reader who has got a
disassembler.)

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

Current thread:

Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs Robert Flicker (Jan 26)
- Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs Charles 'core' Stevenson (Jan 26)
  - Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs Mike Murray (Jan 26)
- Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs Pavel Kankovsky (Jan 27)
  - Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs.ApplicationIDSs Gerardo Richarte (Jan 28)
- <Possible follow-ups>
- Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs Robert Flicker (Jan 27)