The whitepaper focuses mostly on detecting the NOP sled. It recomends looking for about 50 to 60 in a row to limit the number of false positives. They talk about using NOP as well as 1 byte instructions like push %eax, inc %eax, etc. for the NOP sled but this isn't what we are limited too. We can use something like: mov $0x41414141, %ebx in hex thats bb41414141. If you hit at the start of the instruction it does the mov if you miss the start and land in the middle it does an inc %ecx until you hit the next mov, then its mov's until you reach the shellcode. If crashing the program isn't a problem then you can use something like cmp $0x495b5046,%edx or 81fa46505b49. If you land right on it, you get the cmp, if you miss it by one its cli which will crash. Anything after that is a one byte operation: inc %esi, push %eax, pop %ebx, dec %ecx. If you make 96 bytes of this and are trying to brute force the address then you add like 93 to the address then one then 93 then one..... That way you make sure if it lands on the cli instruction then when you add 1 you will land on a good instruction. I didn't research this much, it just came to mind when thinking of ways to avoid their detection. They might have thought of this and detected it but from reading the whitepaper it didn't sound like it. lockdown (reply-to: sweasel18at_private)
This archive was generated by hypermail 2b30 : Sun Jan 27 2002 - 09:14:36 PST