Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs.ApplicationIDSs

[Gerardo Richarte <core.lists.exploit-dev () core-sdi com>]

Pavel Kankovsky wrote:

> The time has come to replace nop with another harmless instruction?

    On the same lines we've been talking about this with some friends and coworkers,
i'll just add another $0.02 in the name of all this ppl :)

    is    nop                         a nop?, sure man!
    is    inc %eax                 a nop?, erm... well... yes
    is    mov $1,%al            a nop?, yessss...
    is    mov %esp, %ebp   a nop? well.. yes..

    what is a nop?

    as futo said...

    is a quicksort routing a nop?
    is Windows NT mostly a nop?

    as futo and cmg said:

    determining what a nop is is harder than the halting problem, or at least, equivalent

    I think we have to go back to antivirus, we need to take a look at what antiviral companies
learned, and use that knowledge.

    I don't like some of the methods very much, for example some of them create a virtual
machine and execute the suspected program in a sand box (http://www.softland.com.ar/Info/NAV/NAV4net.htm and 
http://enterprisesecurity.symantec.com/article.cfm?articleid=11&EID=1 for example).
    I wouldn't recomend that, but anybody can use it :)

    And as for the alignment problem, on a lot of exploits you know if you are returning to an address
aligned to 4 or not...

    well.. as i said, just some more $0.02

    gera

PS:
   .byte    0xb0
a:
   .byte    0xb8
   call    a
   .byte    0xc0
   pop    %eax:




--- for a personal reply use: Gerardo Richarte <gera () corest com>