ETRI-Knowledge Sharing Plaform

ENGLISH

성과물

논문 검색
구분 SCI
연도 ~ 키워드

상세정보

학술지 Tracing Stored Program Counter to Detect Polymorphic Shellcode
Cited 3 time in scopus Download 2 time Share share facebook twitter linkedin kakaostory
저자
김대원, 김익균, 오진태, 장종수
발행일
200808
출처
IEICE Transactions on Information and Systems, v.E91-D no.8, pp.2192-2195
ISSN
0916-8532
출판사
일본, 전자정보통신학회 (IEICE)
DOI
https://dx.doi.org/10.1093/ietisy/e91-d.8.2192
협약과제
08MS2100, Network 위협의 Zero-Day Attack 대응을 위한 실시간 공격 Signature 생성 및 관리 기술개발, 장종수
초록
The shellcode use of the polymorphic form has become active as the de facto method for avoiding signature based network security system. We present a new static analysis method for detecting the decryption routine of the polymorphic shellcode. This method traces the processes by which the decryption routine stores the current program counter in a stack, moves the value between registers and uses the value in order to make the address of the encrypted code accessible. Most of decryption routines have the feature which they use the program counter stored on a stack as the address for accessing the memory that the encrypted code is positioned. Copyright © 2008 The Institute of Electronics, Information and Communication Engineers.