Improving Custom Shellcode Detection
- Each 0-days will have a different form depending on the vulnerability.
- Each person who will code an exploitation, will do it differently depending on the vulnerability.
- ROP attacks (BROp / SROP …): helps avoiding the injection of shellcode directly (treated by CODEBREAKER in V2 via the gadgets detection). Awaiting for 2.5.3 version to move from “experimental” status to “production ready”.
- Attacks with polymorph embedded shellcodes (CODEBREAKER detects encoding and decrypts in real-time) an then tries a shellcode translation.
- Public shellcode: a simple rule does the job (REGEX or another). Yes some people are still doing this…
- Custom shellcode (shellcode generator ou manual conception) : CODEBREAKER now detects this type of attacks under Linux and Windows X86 (Linux X86 part is still experimental, therefore disabled by default)
Arguments speak for themselves…
Here is a false positive : Besides causing an error in the emulation, we can see arguments are invalid. We tell operators about the strong possibility of false positives.