Cool. I will also add to the discussion with an alphanumeric version written
with two others for experimentation, though it is limited in it doesn't vary
the length of the decoder stubs or encoded shellcode. spoonm is doing a
separate version--I think based on Berend's alpha--that will. Also, I did
not test it against any of the different shellcode detectors like Fnord, so
I would be curious to know if anyone tries. IMO "as to whether the detection
of polymorphic shellcode was indeed an appropriate component of an IDS", I
think there is enough prior art on it that it's not really a big deal to
publish or discuss code implementing it. It most likely better to have a
variety of generators to test the effectiveness of a shellcode detector. I
added a small blurb on addtional options for OS-independence with
alphanumeric shellcode for IA-32e/AMD-64 since it adds the new RIP-relative
addressing. See attachment.
"Phantasmal Phantasmagoria" <phantasmal@hush.ai>
10/01/2004 05:28 PM
Please respond to
phantasmal@hush.ai
To
full-disclosure@lists.netsys.com, bugtraq@securityfocus.com,
focus-ids@securityfocus.com
cc
Subject
On Polymorphic Evasion
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------
On Polymorphic Evasion
by Phantasmal Phantasmagoria
phantasmal@hush.ai
_________________________________________________________________
On the road to retirement? Check out MSN Life Events for advice on how to
get there! http://lifeevents.msn.com/category.aspx?cid=Retirement
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
