Static shellcode analysis and classification

Aleksander Czarnowski AVET Information and Network Security

Historically, the term 'shellcode' referred to short shell executing binary code in order to exploit some kind of overflow vulnerability. With advances in intrusion prevention safeguards and the increasing complexity of operating systems and applications, the requirements and form of shellcode have changed. Today, shellcode can be used in conjunction with other classes of vulnerabilities besides simple stack or buffer overflows. Shellcodes can be encoded in many different ways in order to bypass filters (like the one in ASP.NET) and evade intrusion prevention systems. They range from small assembly language programs that are almost couple of bytes in size to multipart, multistage code including JavaScript or other bytecode/script components.

Such a variety of shellcode forms and the attackers' ability to automatically make different ones creates the need for automatic analysis and classification in order to provide proper detection and protection. The aim of this paper is to describe an automatic, generic method based on static analysis of shellcodes for different CPU architectures and operating systems. The proposed approach, based on the meta-processor idea, will be demonstrated with the help of Python-based proof-of-concept code.

del.icio.us

digg this

VB Conferences


	VB2013 (Berlin) VB2012 (Dallas) VB2011 (Barcelona) Photos Programme Slides Sponsors VB2010 (Vancouver) VB2009 (Geneva) VB2008 (Ottawa) VB2007 (Vienna) VB2006 (Montréal) VB2005 (Dublin) VB2004 (Chicago) VB2003 (Toronto) VB2002 (New Orleans) VB2001 (Prague) VB2000 (Orlando) VB99 (Vancouver) VB98 (Munich) VB97 (San Francisco) VB96 (Brighton) VB95 (Boston) VB94 (Jersey) VB93 (Amsterdam) VB92 (Edinburgh) VB91 (Jersey) ‘As always, VB is 'the' premier malware/anti-malware/spam conference.’