Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs

• Previous message: Robert Flicker: "Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs"
• In reply to: Robert Flicker: "Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs"
• Next in thread: Gerardo Richarte: "Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs.ApplicationIDSs"
• Reply: Gerardo Richarte: "Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs.ApplicationIDSs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, 26 Jan 2002, Robert Flicker wrote:

> His ideas revolve around counting multiple NOP type operations in a row and 
> alerting when a threshold is reached. The idea has been kicked around for a 
> while, but this is the first one that I have seen in actual implementation.

The time has come to replace nop with another harmless instruction?
Let's say, "inc %eax" on i386 (assuming the shellcode does not need to
know the original value of %eax)? Or "mov $0x40b048b4, %eax"?
(The explanation is left as an exercise to any reader who has got a
disassembler.)

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

• Next message: Gaziel, Avishay: "RE: ASP Security"
• Previous message: Robert Flicker: "Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs"
• In reply to: Robert Flicker: "Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs"
• Next in thread: Gerardo Richarte: "Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs.ApplicationIDSs"
• Reply: Gerardo Richarte: "Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs.ApplicationIDSs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Jan 27 2002 - 14:17:18 PST