Vulnerability Development mailing list archives
Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs.ApplicationIDSs
From: Gerardo Richarte <core.lists.exploit-dev () core-sdi com>
Date: Mon, 28 Jan 2002 17:09:29 -0300
Pavel Kankovsky wrote:
The time has come to replace nop with another harmless instruction?
On the same lines we've been talking about this with some friends and coworkers, i'll just add another $0.02 in the name of all this ppl :) is nop a nop?, sure man! is inc %eax a nop?, erm... well... yes is mov $1,%al a nop?, yessss... is mov %esp, %ebp a nop? well.. yes.. what is a nop? as futo said... is a quicksort routing a nop? is Windows NT mostly a nop? as futo and cmg said: determining what a nop is is harder than the halting problem, or at least, equivalent I think we have to go back to antivirus, we need to take a look at what antiviral companies learned, and use that knowledge. I don't like some of the methods very much, for example some of them create a virtual machine and execute the suspected program in a sand box (http://www.softland.com.ar/Info/NAV/NAV4net.htm and http://enterprisesecurity.symantec.com/article.cfm?articleid=11&EID=1 for example). I wouldn't recomend that, but anybody can use it :) And as for the alignment problem, on a lot of exploits you know if you are returning to an address aligned to 4 or not... well.. as i said, just some more $0.02 gera PS: .byte 0xb0 a: .byte 0xb8 call a .byte 0xc0 pop %eax: --- for a personal reply use: Gerardo Richarte <gera () corest com>
Current thread:
- Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs Robert Flicker (Jan 26)
- Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs Charles 'core' Stevenson (Jan 26)
- Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs Mike Murray (Jan 26)
- Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs Pavel Kankovsky (Jan 27)
- Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs.ApplicationIDSs Gerardo Richarte (Jan 28)
- <Possible follow-ups>
- Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs Robert Flicker (Jan 27)
- Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs Charles 'core' Stevenson (Jan 26)