Static shellcode analysis and classification

Aleksander Czarnowski AVET Information and Network Security

  download slides (PDF)

Historically, the term 'shellcode' referred to short shell executing binary code in order to exploit some kind of overflow vulnerability. With advances in intrusion prevention safeguards and the increasing complexity of operating systems and applications, the requirements and form of shellcode have changed. Today, shellcode can be used in conjunction with other classes of vulnerabilities besides simple stack or buffer overflows. Shellcodes can be encoded in many different ways in order to bypass filters (like the one in ASP.NET) and evade intrusion prevention systems. They range from small assembly language programs that are almost couple of bytes in size to multipart, multistage code including JavaScript or other bytecode/script components.

Such a variety of shellcode forms and the attackers' ability to automatically make different ones creates the need for automatic analysis and classification in order to provide proper detection and protection. The aim of this paper is to describe an automatic, generic method based on static analysis of shellcodes for different CPU architectures and operating systems. The proposed approach, based on the meta-processor idea, will be demonstrated with the help of Python-based proof-of-concept code.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.