检索结果-内蒙古大学图书馆

Identification of Arbitrary Length shellcode for the Intel x64 Architecture as a NOP Sled

IEEE ACCESS 2025年 13卷 65438-65454页

作者： Norby, Austin Rimal, Bhaskar P. Brizendine, Bramwell Bogart Associates Northern Virginia Reston VA 20190 USA Univ Idaho Dept Comp Sci Moscow ID 83844 USA Univ Alabama Huntsville Dept Comp Sci Huntsville AL 35899 USA

A NOP (no-operation) sled is used as part of binary exploitation code to provide flexibility for exploitation accuracy and evade signatures before and after the exploitation has occurred and to transfer execution to the malicious code. The NOP sled requires that the code be executable and effectively "do nothing." More specifically, "do nothing" means that the execution context is not disrupted to a point where the payload fails to execute. We enforce a zero-difference policy during validation for the components of the execution context we are analyzing. This paper uses the Ghidra reverse engineering tool to disassemble, emulate, and analyze a sequence of bytes to determine if they are an "effective NOP." An effective NOP leaves the execution state unchanged after an arbitrary number of instructions. The execution state consists of a collection of registers and their values and a list of memory locations used. The proposed algorithm in this paper uses Ghidra to emulate instructions for NOP sleds and return a boolean true or false value based on the difference between the original and final execution context. The results from this paper are successful for the different types of constructed samples, polymorphic NOP sleds, and real-world data used to validate the artifact. We create an algorithm to calculate the differences between execution contexts, create an artifact to automatically process byte sequences to search for NOP sleds that satisfy our zero-difference policy, identify third-party NOP generators that did not produce NOP byte sequences that met this research's standard and published the source code to an open-source repository.

关键词： Emulation Registers Payloads Feature extraction Malware Reverse engineering Codes Buffer overflows Training Support vector machines Buffer overflow Ghidra NOP sled emulation shellcode vulnerability

来源：评论

学校读者我要写书评

暂无评论

shellcode Detection in IPv6 Networks with HoneydV6 11

Shellcode Detection in IPv6 Networks with HoneydV6

引用

11th International Conference on Security and Cryptography (SECRYPT)

作者： Schindler, Sven Eggert, Oliver Schnor, Bettina Scheffler, Thomas Univ Potsdam Dept Comp Sci Potsdam Germany Beuth Univ Appl Sci Dept Elect Engn Berlin Germany

ISBN: (纸本)9789898565952

More and more networks and services are reachable via IPv6 and the interest for security monitoring of these IPv6 networks is increasing. Honeypots are valuable tools to monitor and analyse network attacks. HoneydV6 is a low-interaction honeypot which is well suited to deal with the large IPv6 address space, since it is capable of simulating a large number of virtual hosts on a single machine. This paper presents an extension for HoneydV6 which allows the detection, extraction and analyses of shellcode contained in IPv6 network attacks. The shellcode detection is based on the open source library libemu and combined with the online malware analysis tool Anubis. We compared the shellcode detection rate of HoneydV6 and Dionaea. While HoneydV6 is able to detect about 25 % of the malicious samples, the Dionaea honeypot detects only about 6 %.

关键词： Honeypot IPv6 shellcode

来源：评论

学校读者我要写书评

暂无评论

shellcode Detector for Malicious Document Hunting

Shellcode Detector for Malicious Document Hunting

引用

IEEE Conference on Dependable and Secure Computing

作者： Chen, Chong-Kuan Lan, Shen-Chieh Shieh, Shiuhpyng Winston Natl Chiao Tung Univ Dept Comp Sci Hsinchu Taiwan

ISBN: (纸本)9781509055692

Advanced Persistent Threat (APT) attacks became a major network threat in recent years. Among APT attack techniques, sending a phishing email with malicious documents attached is considered one of the most effective ones. Although many users have the impression that documents are harmless, a malicious document may in fact contain shellcode to attack victims. To cope with the problem, we design and implement a malicious document detector called Forensor to differentiate malicious documents. Forensor integrates several open-source tools and methods. It first introspects file format to retrieve objects inside the documents, and then automatically decrypts simple encryption methods, e.g., XOR, rot and shift, commonly used in malware to discover potential shellcode. The emulator is used to verify the presence of shellcode. If shellcode is discovered, the file is considered malicious. The experiment used 9,000 benign files and more than 10,000 malware samples from a well-known sample sharing website. The result shows no false negative and only 2 false positives.

关键词： malicious documents malware shellcode

来源：评论

学校读者我要写书评

暂无评论

A robust software watermarking framework using shellcode

引用

MULTIMEDIA TOOLS AND APPLICATIONS 2020年第3-4期79卷 2555-2576页

作者： Dey, Ayan Ghosh, Shibashis Bhattacharya, Sukriti Chaki, Nabendu Univ Calcutta AK Choudhury Sch IT Kolkata India LIST Environm Informat Dept Environm Res & Innovat ERIN Luxembourg Luxembourg Univ Calcutta Dept Comp Sci & Engn Kolkata India

Watermarks have long been applied to ensure the authenticity of media contents. Computer software is an intellectual outcome in the digital domain. Therefore, it has to face all the common threats like illegal redistribution, copying, misuse through malicious modification. However, the majority of the existing software watermarking techniques are suffering from the limitations of existing robustness notions and lack of resilience from a variety of attacks. In this paper, we proposed a novel robust software watermarking scheme based on "shellcode". It is a small piece of code generally used as the payload in the exploitation of a software vulnerability. It consists of a list of carefully arranged machine instructions, executed through injecting into a running application. shellcode serves as the backbone of our proposed watermarking scheme. It is used to achieve both covert communication (steganography), and deterrence (watermarking) process in the proposed watermarking technique. Such a combination gives more robustness and security to the whole process. In this paper, we introduce ShellMark as a proof of concept to illustrate the shellcode based software watermarking technique. We compared and tested ShellMark with already existing software watermarking techniques, and it showed that ShellMark is resilient to most of the well known watermarking attacks.

关键词： Software watermarking shellcode Encryption Hash functions

来源：评论

学校读者我要写书评

暂无评论

Tracing stored program counter to detect polymorphic shellcode

引用

IEICE TRANSACTIONS ON INFORMATION AND SYSTEMS 2008年第8期E91D卷 2192-2195页

作者： Kim, Daewon Kim, Ikkyun Oh, Jintae Jang, Jongsoo Elect & Telecommun Res Inst Informat Secur Res Div Taejon 305350 South Korea

The shellcode use of the polymorphic form has become active as the de facto method for avoiding signature based network security system. We present a new static analysis method for detecting the decryption routine of the polymorphic shellcode. This method traces the processes by which the decryption routine stores the current program counter in a stack, moves the value between registers and uses the value in order to make the address of the encrypted code accessible. Most of decryption routines have the feature which they use the program counter stored on a stack as the address for accessing the memory that the encrypted code is positioned.

关键词： network security shellcode polymorphism

来源：评论

学校读者我要写书评

暂无评论

On the infeasibility of modeling polymorphic shellcode Re-thinking the role of learning in intrusion detection systems

引用

MACHINE LEARNING 2010年第2期81卷 179-205页

作者： Song, Yingbo Locasto, Michael E. Stavrou, Angelos Keromytis, Angelos D. Stolfo, Salvatore J. Columbia Univ Dept Comp Sci New York NY 10027 USA George Mason Univ Dept Comp Sci Fairfax VA 22030 USA

Current trends demonstrate an increasing use of polymorphism by attackers to disguise their exploits. The ability for malicious code to be easily, and automatically, transformed into semantically equivalent variants frustrates attempts to construct simple, easily verifiable representations for use in security sensors. In this paper, we present a quantitative analysis of the strengths and limitations of shellcode polymorphism, and describe the impact that these techniques have in the context of learning-based IDS systems. Our examination focuses on dual problems: shellcode encryption-based evasion methods and targeted "blending" attacks. Both techniques are currently being used in the wild, allowing real exploits to evade IDS sensors. This paper provides metrics to measure the effectiveness of modern polymorphic engines and provide insights into their designs. We describe methods to evade statistics-based IDS sensors and present suggestions on how to defend against them. Our experimental results illustrate that the challenge of modeling self-modifying shellcode by signature-based methods, and certain classes of statistical models, is likely an intractable problem.

关键词： shellcode Polymorphism Metrics Blending

来源：评论

学校读者我要写书评

暂无评论

SecondDEP: Resilient Computing that Prevents shellcode Execution in Cyber-Attacks 19th

SecondDEP: Resilient Computing that Prevents Shellcode Execu...

引用

19th International Conference on Knowledge Based and Intelligent Information and Engineering Systems (KES)

作者： Okamoto, Takeshi Kanagawa Inst Technol Atsugi Kanagawa 2430292 Japan

This paper proposes a novel method of preventing shellcode execution even if DEP is bypassed. The method prevents Windows APIs from calling on a data area by API hooking, based on evidence that shellcode is executed in a data area and that the shellcode calls Windows APIs. Performance tests indicated that all samples of shellcode provided by Metasploit Framework, as well as the 18 most recent attacks using Metasploit Framework, can be detected. Comparison of this method with anti-virus products showed that this method prevented shellcode execution, whereas anti-virus products failed. Another test showed that the overhead of the method has little effect on the performance of computer operations. (C) 2015 The Authors. Published by Elsevier B.V.

关键词： DEP API hooking shellcode cyber-attack vulnerability Metasploit Framework ROP

来源：评论

学校读者我要写书评

暂无评论

Accurate shellcode Recognition from Network Traffic Data using Artificial Neural Nets 28

Accurate Shellcode Recognition from Network Traffic Data usi...

引用

IEEE 28th Canadian Conference on Electrical and Computer Engineering (CCECE)

作者： Onotu, Patrick Day, David Rodrigues, Marcos A. Sheffield Hallam Univ Automat & Control Engn Sheffield S1 1WB S Yorkshire England Sheffield Hallam Univ Sheffield S1 1WB S Yorkshire England

ISBN: (纸本)9781479958290

This paper presents an approach to shellcode recognition directly from network traffic data using a multi-layer perceptron with back-propagation learning algorithm. Using raw network data composed of a mixture of shellcode, image files, and DLL-Dynamic Link Library files, our proposed design was able to classify the three types of data with high accuracy and high precision with neither false positives nor false negatives. The proposed method comprises simple and fast pre-processing of raw data of a fixed length for each network data package and yields perfect results with 100% accuracy for the three data types considered. The research is significant in the context of network security and intrusion detection systems. Work is under way for real time recognition and fine-tuning the differentiation between various shellcodes.

关键词： Neural net network security intrusion detection system pattern recognition shellcode false positive

来源：评论

学校读者我要写书评

暂无评论

English shellcode 09

English Shellcode

引用

16th ACM Conference on Computer and Communications Security

作者： Mason, Joshua Small, Sam Monrose, Fabian MacManus, Greg Johns Hopkins Univ Baltimore MD 21218 USA

ISBN: (纸本)9781605583525

History indicates that the security community commonly takes a divide-and-conquer approach to battling malware threats identify the essential and inalienable components of an attack, then develop detection and prevention techniques that directly target one or more of the essential components This abstraction is evident m much of the literature for buffer overflow attacks including, for instance, stack protection and NOP sled detection It comes as no surprise then that we approach shellcode detection and prevention in a similar fashion However, the common belief that components of polymorphic shellcode (c g the decoder) cannot reliably be hidden suggests a more implicit and broader assumption that continues to drive contemporary research namely, that valid and complete representations of shellcode are fundamentally different in structure than benign payloads While the first tenet of this assumption is philosophically undeniable (i e, a string of bytes is either shellcode or It is not), truth of the latter claim is less obvious if there exist encoding techniques capable of producing shellcode with features nearly indistinguishable from non-executable content In this paper, we challenge the assumption that shellcode must conform to superficial and discernible representations Specifically, we demonstrate a technique for automatically producing English shellcode, transforming arbitrary shellcode into a representation that is superficially similar to English prose The shellcode is completely self-contained-i e, it does not. require an external loader and executes as valid IA32 code) and can typically be generated in under an hour on commodity hardware Our primary objective in this paper is to promote discussion and stimulate new ideas for thinking ahead about preventive measures for tackling evolutions in code-injection attacks

关键词： shellcode Natural Language Network Emulation

来源：评论

学校读者我要写书评

暂无评论

k-Depth Mimicry Attack to Secretly Embed shellcode into PDF Files 8th

<i>k</i>-Depth Mimicry Attack to Secretly Embed Shellcode in...

引用

iCatse International Conference on Information Science and Applications (ICISA)

作者： Park, Jaewoo Kim, Hyoungshick Sungkyunkwan Univ Dept Software Suwon 2066 South Korea

ISBN: (纸本)9789811041549;9789811041532

This paper revisits the shellcode embedding problem for PDF files. We found that a popularly used shellcode embedding technique called reverse mimicry attack has not been shown to be effective against well-trained state-of-the-art detectors. To overcome the limitation of the reverse mimicry method against existing shellcode detectors, we extend the idea of reverse mimicry attack to a more generalized one by applying the k-depth mimicry method to PDF files. We implement a proof-of-concept tool for the k-depth mimicry attack and show its feasibility by generating shellcode-embedded PDF files to evade the best known shellcode detector (PDFrate) with three classifiers. The experimental results show that all tested classifiers failed to effectively detect the shellcode embedded by the k-depth mimicry method when k >= 20.

关键词： Security Malware PDF shellcode Mimicry attack

来源：评论

学校读者我要写书评

暂无评论

建议与咨询留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

时间限定

文献类型

馆藏选择

核心期刊

语言

文献类型

帮助

文字说明：

检索规则说明：

检索范例：

分类表

所选分类

限定检索结果

文献类型

馆藏范围

日期分布

学科分类号

主题

机构

作者

语言

请选择保存的检索档案：

请选择收藏分类：

通借通还

建议与咨询 留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

时间限定

文献类型

馆藏选择

核心期刊

语言

文献类型

帮助

文字说明：

检索规则说明：

检索范例：

分类表

所选分类

限定检索结果

文献类型

馆藏范围

日期分布

学科分类号

主题

机构

作者

语言

请选择保存的检索档案： 新增检索档案 确定 取消

请选择收藏分类： 新增自定义分类 确定 取消

通借通还

建议与咨询留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

请选择保存的检索档案：

请选择收藏分类：