Session 2 - 1 - Efficient analysis of malicious bytecode linespeed shellcode detection and fast sandboxing

Presentation Abstract

Generic shellcode detection at arbitrary bytestream level has been discussed before, this implementation takes it to a performant level where a commodity laptop can do it on 1 Gbit linespeed. The LDT in conjunction with a disassembler engine is used to execute potential malicious bytecode in a secure fashion and thereby identify shellcode. It is explained how the engine works and some real-world shellcode from DefCon CTF, real incidents and Metasploit is briefly analyzed and demo'ed.

Get the slides here           View the video here









pic by Cedric Blancher
(CC BY-SA-NC)

AttachmentSize
HPW2011 - Efficient analysis of malicious bytecode linespeed shellcode detection - Georg Wicherski.pdf294.33 KB
HPW2011_georg_wicherski.jpg134.37 KB