Paper Abstract and Keywords |
Presentation |
2010-11-05 16:25
A Shellcode Analysis Method using CPU emulator and Dynamic Binary Instrumentation Chiaki Jimbo, Katsunari Yoshioka, Junji Shikata, Tsutomu Matsumoto (Yokohama National Univ.), Masashi Eto, Daisuke Inoue, Koji Nakao (NICT) ICSS2010-54 |
Abstract |
(in Japanese) |
(See Japanese page) |
(in English) |
The epidemic of Conficker shows that remote exploit attack is still one of the most serious threats on the computer systems. Detecting the presence of these attacks in network traffic has been a major focus of the security community. Detecting remote exploit attacks, however, is not always sufficient to mitigate the threat, and it is also important to understand what these attacks do to the target systems. In this paper, we propose a shellcode analysis method, which utilizes CPU emulator for detecting shellcodes, and analyzes them in detail by tracing its execution on real Windows OS using Dynamic Binary Instrumentation. In the method, we automatically analyze and classify shellcodes according to their characteristic components such as NOP sled, decoder, and content of payload including API calls. |
Keyword |
(in Japanese) |
(See Japanese page) |
(in English) |
Remote exploit attacks / Shellcode / Analysis and Classification / CPU emulation / Dynamic Binary Instrumentation / / / |
Reference Info. |
IEICE Tech. Rep., vol. 110, no. 266, ICSS2010-54, pp. 59-64, Nov. 2010. |
Paper # |
ICSS2010-54 |
Date of Issue |
2010-10-29 (ICSS) |
ISSN |
Print edition: ISSN 0913-5685 Online edition: ISSN 2432-6380 |
Copyright and reproduction |
All rights are reserved and no part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system, without permission in writing from the publisher. Notwithstanding, instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. (License No.: 10GA0019/12GB0052/13GB0056/17GB0034/18GB0034) |
Download PDF |
ICSS2010-54 |
|