Evolving shell code

Masaki Suenega Symantec Security Response

This paper deals with the shell code seen in data files, such as image files that exploit certain vulnerabilities. At first the shell code used in these files was not difficult to analyse, with most cases having easily resolved API calls. However, gradually the code has become more difficult to analyse, with API calls obfuscated and instructions encrypted.

Some shell code, which we've seen in Microsoft Word documents, destroy their host data files after execution. Other shell codes are represented only by ASCII characters, which look just like benign text. These techniques and others will be discussed in this paper.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.