[Snort-sigs] Pattern Matching in encoded Shellcode

felix.matenaar@...3492... felix.matenaar at ...3491...
Fri Apr 23 18:36:00 EDT 2010


Hello everyone,

this is my first post on this mailing list and i m far away from knowing
much about snort. I just would like to present an idea and would be
happy about some feedback. As you all know a lot of exploits use
encoding for intrusion detection evasion. Two of often used schemes are
ROT and XOR. The question was if there is an efficient way to do pattern
matching in encoded shellcode parts. Imagine a tuple of XOR encoded
bytes A which is our encoded shellcode. Let B be a tuple of bytes which
is our signature in plain. When you want to do pattern matching in A you
can do the following:

Create a tuple A' which has a length of A-1 by doing A'[i] := A[i] XOR
A[i+1]. Because A[i] is the plain byte xor the key as A[i+1] is, the key
XORs to 0 and what we get is the XOR of both plain bytes. When we do the
same for B and generate B'.
B' will be a substring of A' when the signature B was in the plaintext
of A before.

I couldnt find anything about that yet. Is that something which could be
interesting to implement or is that old stuff?

Thanks for your feedback,
    Felix




More information about the Snort-sigs mailing list