The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. ex. Some numerals are expressed as "XNUMX".
Copyrights notice
The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. Copyrights notice
L'utilisation de shellcodes sous forme polymorphe est devenue active en tant que méthode de facto pour éviter les systèmes de sécurité réseau basés sur les signatures. Nous présentons une nouvelle méthode d'analyse statique pour détecter la routine de décryptage du shellcode polymorphe. Cette méthode retrace les processus par lesquels la routine de décryptage stocke le compteur du programme actuel dans une pile, déplace la valeur entre les registres et utilise la valeur afin de rendre accessible l'adresse du code crypté. La plupart des routines de décryptage ont la particularité d'utiliser le compteur de programme stocké sur une pile comme adresse d'accès à la mémoire dans laquelle est positionné le code crypté.
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Copier
Daewon KIM, Ikkyun KIM, Jintae OH, Jongsoo JANG, "Tracing Stored Program Counter to Detect Polymorphic Shellcode" in IEICE TRANSACTIONS on Information,
vol. E91-D, no. 8, pp. 2192-2195, August 2008, doi: 10.1093/ietisy/e91-d.8.2192.
Abstract: The shellcode use of the polymorphic form has become active as the de facto method for avoiding signature based network security system. We present a new static analysis method for detecting the decryption routine of the polymorphic shellcode. This method traces the processes by which the decryption routine stores the current program counter in a stack, moves the value between registers and uses the value in order to make the address of the encrypted code accessible. Most of decryption routines have the feature which they use the program counter stored on a stack as the address for accessing the memory that the encrypted code is positioned.
URL: https://global.ieice.org/en_transactions/information/10.1093/ietisy/e91-d.8.2192/_p
Copier
@ARTICLE{e91-d_8_2192,
author={Daewon KIM, Ikkyun KIM, Jintae OH, Jongsoo JANG, },
journal={IEICE TRANSACTIONS on Information},
title={Tracing Stored Program Counter to Detect Polymorphic Shellcode},
year={2008},
volume={E91-D},
number={8},
pages={2192-2195},
abstract={The shellcode use of the polymorphic form has become active as the de facto method for avoiding signature based network security system. We present a new static analysis method for detecting the decryption routine of the polymorphic shellcode. This method traces the processes by which the decryption routine stores the current program counter in a stack, moves the value between registers and uses the value in order to make the address of the encrypted code accessible. Most of decryption routines have the feature which they use the program counter stored on a stack as the address for accessing the memory that the encrypted code is positioned.},
keywords={},
doi={10.1093/ietisy/e91-d.8.2192},
ISSN={1745-1361},
month={August},}
Copier
TY - JOUR
TI - Tracing Stored Program Counter to Detect Polymorphic Shellcode
T2 - IEICE TRANSACTIONS on Information
SP - 2192
EP - 2195
AU - Daewon KIM
AU - Ikkyun KIM
AU - Jintae OH
AU - Jongsoo JANG
PY - 2008
DO - 10.1093/ietisy/e91-d.8.2192
JO - IEICE TRANSACTIONS on Information
SN - 1745-1361
VL - E91-D
IS - 8
JA - IEICE TRANSACTIONS on Information
Y1 - August 2008
AB - The shellcode use of the polymorphic form has become active as the de facto method for avoiding signature based network security system. We present a new static analysis method for detecting the decryption routine of the polymorphic shellcode. This method traces the processes by which the decryption routine stores the current program counter in a stack, moves the value between registers and uses the value in order to make the address of the encrypted code accessible. Most of decryption routines have the feature which they use the program counter stored on a stack as the address for accessing the memory that the encrypted code is positioned.
ER -