Packed, printable, and polymorphic return-oriented programming

Kangjie Lu, Dabi Zou, Weiping Wen, Debin Gao

Research output: Chapter in Book/Report/Conference proceedingConference contribution

10 Scopus citations

Abstract

Return-oriented programming (ROP) is an attack that has been shown to be able to circumvent W+X protection. However, it was not clear if ROP can be made as powerful as non-ROP malicious code in other aspects, e.g., be packed to make static analysis difficult, be printable to evade non-ASCII filtering, be polymorphic to evade signature-based detection, etc. Research in these potential advances in ROP is important in designing counter-measures. In this paper, we show that ROP code could be packed, printable, and polymorphic. We demonstrate this by proposing a packer that produces printable and polymorphic ROP code. It works on virtually any unpacked ROP code and produces packed code that is self-contained. We implement our packer and demonstrate that it works on both Windows XP and Windows 7 platforms.

Original languageEnglish (US)
Title of host publicationRecent Advances in Intrusion Detection - 14th International Symposium, RAID 2011, Proceedings
Pages101-120
Number of pages20
DOIs
StatePublished - Dec 1 2011
Event14th International Symposium on Recent Advances in Intrusion Detection Systems, RAID 2011 - Menlo Park, CA, United States
Duration: Sep 20 2011Sep 21 2011

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume6961 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Other

Other14th International Symposium on Recent Advances in Intrusion Detection Systems, RAID 2011
CountryUnited States
CityMenlo Park, CA
Period9/20/119/21/11

Keywords

  • Return-oriented programming
  • packer
  • polymorphic malware
  • printable shellcode

Fingerprint Dive into the research topics of 'Packed, printable, and polymorphic return-oriented programming'. Together they form a unique fingerprint.

Cite this