The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. ex. Some numerals are expressed as "XNUMX".
Copyrights notice
The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. Copyrights notice
O uso do shellcode da forma polimórfica tornou-se ativo como o método de fato para evitar sistemas de segurança de rede baseados em assinatura. Apresentamos um novo método de análise estática para detectar a rotina de descriptografia do shellcode polimórfico. Este método rastreia os processos pelos quais a rotina de descriptografia armazena o contador do programa atual em uma pilha, move o valor entre os registradores e utiliza o valor para tornar acessível o endereço do código criptografado. A maioria das rotinas de descriptografia possui a característica de utilizar o contador do programa armazenado em uma pilha como endereço de acesso à memória onde o código criptografado está posicionado.
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Copiar
Daewon KIM, Ikkyun KIM, Jintae OH, Jongsoo JANG, "Tracing Stored Program Counter to Detect Polymorphic Shellcode" in IEICE TRANSACTIONS on Information,
vol. E91-D, no. 8, pp. 2192-2195, August 2008, doi: 10.1093/ietisy/e91-d.8.2192.
Abstract: The shellcode use of the polymorphic form has become active as the de facto method for avoiding signature based network security system. We present a new static analysis method for detecting the decryption routine of the polymorphic shellcode. This method traces the processes by which the decryption routine stores the current program counter in a stack, moves the value between registers and uses the value in order to make the address of the encrypted code accessible. Most of decryption routines have the feature which they use the program counter stored on a stack as the address for accessing the memory that the encrypted code is positioned.
URL: https://global.ieice.org/en_transactions/information/10.1093/ietisy/e91-d.8.2192/_p
Copiar
@ARTICLE{e91-d_8_2192,
author={Daewon KIM, Ikkyun KIM, Jintae OH, Jongsoo JANG, },
journal={IEICE TRANSACTIONS on Information},
title={Tracing Stored Program Counter to Detect Polymorphic Shellcode},
year={2008},
volume={E91-D},
number={8},
pages={2192-2195},
abstract={The shellcode use of the polymorphic form has become active as the de facto method for avoiding signature based network security system. We present a new static analysis method for detecting the decryption routine of the polymorphic shellcode. This method traces the processes by which the decryption routine stores the current program counter in a stack, moves the value between registers and uses the value in order to make the address of the encrypted code accessible. Most of decryption routines have the feature which they use the program counter stored on a stack as the address for accessing the memory that the encrypted code is positioned.},
keywords={},
doi={10.1093/ietisy/e91-d.8.2192},
ISSN={1745-1361},
month={August},}
Copiar
TY - JOUR
TI - Tracing Stored Program Counter to Detect Polymorphic Shellcode
T2 - IEICE TRANSACTIONS on Information
SP - 2192
EP - 2195
AU - Daewon KIM
AU - Ikkyun KIM
AU - Jintae OH
AU - Jongsoo JANG
PY - 2008
DO - 10.1093/ietisy/e91-d.8.2192
JO - IEICE TRANSACTIONS on Information
SN - 1745-1361
VL - E91-D
IS - 8
JA - IEICE TRANSACTIONS on Information
Y1 - August 2008
AB - The shellcode use of the polymorphic form has become active as the de facto method for avoiding signature based network security system. We present a new static analysis method for detecting the decryption routine of the polymorphic shellcode. This method traces the processes by which the decryption routine stores the current program counter in a stack, moves the value between registers and uses the value in order to make the address of the encrypted code accessible. Most of decryption routines have the feature which they use the program counter stored on a stack as the address for accessing the memory that the encrypted code is positioned.
ER -