Pavel Kankovsky wrote:
> The time has come to replace nop with another harmless instruction?
On the same lines we've been talking about this with some friends and coworkers,
i'll just add another $0.02 in the name of all this ppl :)
is nop a nop?, sure man!
is inc %eax a nop?, erm... well... yes
is mov $1,%al a nop?, yessss...
is mov %esp, %ebp a nop? well.. yes..
what is a nop?
as futo said...
is a quicksort routing a nop?
is Windows NT mostly a nop?
as futo and cmg said:
determining what a nop is is harder than the halting problem, or at least, equivalent
I think we have to go back to antivirus, we need to take a look at what antiviral companies
learned, and use that knowledge.
I don't like some of the methods very much, for example some of them create a virtual
machine and execute the suspected program in a sand box (http://www.softland.com.ar/Info/NAV/NAV4net.htm and http://enterprisesecurity.symantec.com/article.cfm?articleid=11&EID=1 for example).
I wouldn't recomend that, but anybody can use it :)
And as for the alignment problem, on a lot of exploits you know if you are returning to an address
aligned to 4 or not...
well.. as i said, just some more $0.02
gera
PS:
.byte 0xb0
a:
.byte 0xb8
call a
.byte 0xc0
pop %eax:
--- for a personal reply use: Gerardo Richarte <geraat_private>
This archive was generated by hypermail 2b30 : Mon Jan 28 2002 - 14:31:11 PST