Vulnerability Development mailing list archives
Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs
From: "Pavel Kankovsky" <peak () argo troja mff cuni cz>
Date: Sun, 27 Jan 2002 22:21:13 +0100 (MET)
On Sat, 26 Jan 2002, Robert Flicker wrote:
His ideas revolve around counting multiple NOP type operations in a row and alerting when a threshold is reached. The idea has been kicked around for a while, but this is the first one that I have seen in actual implementation.
The time has come to replace nop with another harmless instruction? Let's say, "inc %eax" on i386 (assuming the shellcode does not need to know the original value of %eax)? Or "mov $0x40b048b4, %eax"? (The explanation is left as an exercise to any reader who has got a disassembler.) --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
Current thread:
- Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs Robert Flicker (Jan 26)
- Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs Charles 'core' Stevenson (Jan 26)
- Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs Mike Murray (Jan 26)
- Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs Pavel Kankovsky (Jan 27)
- Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs.ApplicationIDSs Gerardo Richarte (Jan 28)
- <Possible follow-ups>
- Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs Robert Flicker (Jan 27)
- Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs Charles 'core' Stevenson (Jan 26)