Malicious Shellcode Detection With Virtual Memory Snapshots

Malicious shellcodes are segments of binary code disguised as normal input data. Such shellcodes can be injected into a target process's virtual memory. They overwrite the process's return addresses and hijack control flow. Detecting and filtering out such shellcodes is vital to prevent damage. In this paper, the authors propose a new malicious shellcode detection methodology in which they take snapshots of the process's virtual memory before input data are consumed, and feed the snapshots to a malicious shellcode detector. These snapshots are used to instantiate a runtime environment that emulates the target process's input data consumption to monitor shellcodes' behaviors.

Provided by: Institute of Electrical & Electronic Engineers Topic: Security Date Added: Aug 2010 Format: PDF

Find By Topic