Obfuscated Shellcode - Hiding from IDS
Shellcode is in essence what an attacker uploads to a victim when exploiting a buffer overflow vulnerability. One of the challenges an exploit author faces is how to get the shellcode past any intrusion detection devices that may exist on the network or host. These IDS systems look for the common signature values of events such as the "NOP sled".
A NOP slep is a series of instructions to the CPU that do nothing, in other words they excecute a "Pay attention but wait for further instructions" type of statement. The NOP sled allows the attacker to be less precise in where the shellcode gets placed into the victim's RAM.
The article below describes some different ways an attacker might hide the NOP sled from Intrusion Detection Systems and how an IDS might be adjusted to look out for them.
Obfuscated Shellcode, the Wolf in Sheep's Clothing (Part 1)
Obfuscated Shellcode, the Wolf in Sheep's Clothing (Part 2)
Obfuscated Shellcode, the Wolf in Sheep's Clothing (Part 3)
A NOP slep is a series of instructions to the CPU that do nothing, in other words they excecute a "Pay attention but wait for further instructions" type of statement. The NOP sled allows the attacker to be less precise in where the shellcode gets placed into the victim's RAM.
The article below describes some different ways an attacker might hide the NOP sled from Intrusion Detection Systems and how an IDS might be adjusted to look out for them.
Obfuscated Shellcode, the Wolf in Sheep's Clothing (Part 1)
Obfuscated Shellcode, the Wolf in Sheep's Clothing (Part 2)
Obfuscated Shellcode, the Wolf in Sheep's Clothing (Part 3)
