Tracing Stored Program Counter to Detect Polymorphic Shellcode
Summary :
The shellcode use of the polymorphic form has become active as the de facto method for avoiding signature based network security system. We present a new static analysis method for detecting the decryption routine of the polymorphic shellcode. This method traces the processes by which the decryption routine stores the current program counter in a stack, moves the value between registers and uses the value in order to make the address of the encrypted code accessible. Most of decryption routines have the feature which they use the program counter stored on a stack as the address for accessing the memory that the encrypted code is positioned.
- Publication
- IEICE TRANSACTIONS on Information Vol.E91-D No.8 pp.2192-2195
- Publication Date
- 2008/08/01
- Publicized
- Online ISSN
- 1745-1361
- DOI
- 10.1093/ietisy/e91-d.8.2192
- Type of Manuscript
- LETTER
- Category
- Application Information Security
Authors
Keyword
Latest Issue
Copyrights notice of machine-translated contents
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Cite this
Copy
Daewon KIM, Ikkyun KIM, Jintae OH, Jongsoo JANG, "Tracing Stored Program Counter to Detect Polymorphic Shellcode" in IEICE TRANSACTIONS on Information,
vol. E91-D, no. 8, pp. 2192-2195, August 2008, doi: 10.1093/ietisy/e91-d.8.2192.
Abstract: The shellcode use of the polymorphic form has become active as the de facto method for avoiding signature based network security system. We present a new static analysis method for detecting the decryption routine of the polymorphic shellcode. This method traces the processes by which the decryption routine stores the current program counter in a stack, moves the value between registers and uses the value in order to make the address of the encrypted code accessible. Most of decryption routines have the feature which they use the program counter stored on a stack as the address for accessing the memory that the encrypted code is positioned.
URL: https://global.ieice.org/en_transactions/information/10.1093/ietisy/e91-d.8.2192/_p
Copy
@ARTICLE{e91-d_8_2192,
author={Daewon KIM, Ikkyun KIM, Jintae OH, Jongsoo JANG, },
journal={IEICE TRANSACTIONS on Information},
title={Tracing Stored Program Counter to Detect Polymorphic Shellcode},
year={2008},
volume={E91-D},
number={8},
pages={2192-2195},
abstract={The shellcode use of the polymorphic form has become active as the de facto method for avoiding signature based network security system. We present a new static analysis method for detecting the decryption routine of the polymorphic shellcode. This method traces the processes by which the decryption routine stores the current program counter in a stack, moves the value between registers and uses the value in order to make the address of the encrypted code accessible. Most of decryption routines have the feature which they use the program counter stored on a stack as the address for accessing the memory that the encrypted code is positioned.},
keywords={},
doi={10.1093/ietisy/e91-d.8.2192},
ISSN={1745-1361},
month={August},}
Copy
TY - JOUR
TI - Tracing Stored Program Counter to Detect Polymorphic Shellcode
T2 - IEICE TRANSACTIONS on Information
SP - 2192
EP - 2195
AU - Daewon KIM
AU - Ikkyun KIM
AU - Jintae OH
AU - Jongsoo JANG
PY - 2008
DO - 10.1093/ietisy/e91-d.8.2192
JO - IEICE TRANSACTIONS on Information
SN - 1745-1361
VL - E91-D
IS - 8
JA - IEICE TRANSACTIONS on Information
Y1 - August 2008
AB - The shellcode use of the polymorphic form has become active as the de facto method for avoiding signature based network security system. We present a new static analysis method for detecting the decryption routine of the polymorphic shellcode. This method traces the processes by which the decryption routine stores the current program counter in a stack, moves the value between registers and uses the value in order to make the address of the encrypted code accessible. Most of decryption routines have the feature which they use the program counter stored on a stack as the address for accessing the memory that the encrypted code is positioned.
ER -
English
