Home page logo

fulldisclosure logo Full Disclosure mailing list archives

RE: On Polymorphic Evasion (an alphanumeric version)
From: "m conover" <mconover_001 () hotmail com>
Date: Tue, 05 Oct 2004 01:39:15 +0000

Cool. I will also add to the discussion with an alphanumeric version written with two others for experimentation, though it is limited in it doesn't vary the length of the decoder stubs or encoded shellcode. spoonm is doing a separate version--I think based on Berend's alpha--that will. Also, I did not test it against any of the different shellcode detectors like Fnord, so I would be curious to know if anyone tries. IMO "as to whether the detection of polymorphic shellcode was indeed an appropriate component of an IDS", I think there is enough prior art on it that it's not really a big deal to publish or discuss code implementing it. It most likely better to have a variety of generators to test the effectiveness of a shellcode detector. I added a small blurb on addtional options for OS-independence with alphanumeric shellcode for IA-32e/AMD-64 since it adds the new RIP-relative addressing. See attachment.

"Phantasmal Phantasmagoria" <phantasmal () hush ai>
10/01/2004 05:28 PM
Please respond to
phantasmal () hush ai

full-disclosure () lists netsys com, bugtraq () securityfocus com,
focus-ids () securityfocus com

On Polymorphic Evasion

Hash: SHA1

- ------------------------------------

On Polymorphic Evasion
by Phantasmal Phantasmagoria
phantasmal () hush ai

On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
  • RE: On Polymorphic Evasion (an alphanumeric version) m conover (Oct 05)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]