Tracing Stored Program Counter to Detect Polymorphic Shellcode
スポンサーリンク
概要
- 論文の詳細を見る
The shellcode use of the polymorphic form has become active as the de facto method for avoiding signature based network security system. We present a new static analysis method for detecting the decryption routine of the polymorphic shellcode. This method traces the processes by which the decryption routine stores the current program counter in a stack, moves the value between registers and uses the value in order to make the address of the encrypted code accessible. Most of decryption routines have the feature which they use the program counter stored on a stack as the address for accessing the memory that the encrypted code is positioned.
- (社)電子情報通信学会の論文
- 2008-08-01
著者
-
JANG Jongsoo
Electronics and Telecommunications Research Institute (ETRI)
-
KIM Daewon
Information Security Research Division, Electronics and Telecommunications Research Institute
-
KIM Ikkyun
Information Security Research Division, Electronics and Telecommunications Research Institute
-
OH Jintae
Information Security Research Division, Electronics and Telecommunications Research Institute
-
JANG Jongsoo
Information Security Research Division, Electronics and Telecommunications Research Institute
-
Oh Jintae
Information Security Research Division Etri
-
Kim Daewon
Information Security Research Division Etri
-
Kim Ikkyun
Information Security Research Division Etri
関連論文
- Random Visitor : Defense against Identity Attacks in P2P Networks
- Tracing Stored Program Counter to Detect Polymorphic Shellcode
- Executable Code Recognition in Network Flows Using Instruction Transition Probabilities