Pavel Kankovsky wrote: > The time has come to replace nop with another harmless instruction? On the same lines we've been talking about this with some friends and coworkers, i'll just add another $0.02 in the name of all this ppl :) is nop a nop?, sure man! is inc %eax a nop?, erm... well... yes is mov $1,%al a nop?, yessss... is mov %esp, %ebp a nop? well.. yes.. what is a nop? as futo said... is a quicksort routing a nop? is Windows NT mostly a nop? as futo and cmg said: determining what a nop is is harder than the halting problem, or at least, equivalent I think we have to go back to antivirus, we need to take a look at what antiviral companies learned, and use that knowledge. I don't like some of the methods very much, for example some of them create a virtual machine and execute the suspected program in a sand box (http://www.softland.com.ar/Info/NAV/NAV4net.htm and http://enterprisesecurity.symantec.com/article.cfm?articleid=11&EID=1 for example). I wouldn't recomend that, but anybody can use it :) And as for the alignment problem, on a lot of exploits you know if you are returning to an address aligned to 4 or not... well.. as i said, just some more $0.02 gera PS: .byte 0xb0 a: .byte 0xb8 call a .byte 0xc0 pop %eax: --- for a personal reply use: Gerardo Richarte <geraat_private>
This archive was generated by hypermail 2b30 : Mon Jan 28 2002 - 14:31:11 PST