Malicious Shellcode Detection With Virtual Memory Snapshots
Malicious shellcodes are segments of binary code disguised as normal input data. Such shellcodes can be injected into a target process's virtual memory. They overwrite the process's return addresses and hijack control flow. Detecting and filtering out such shellcodes is vital to prevent damage. In this paper, the authors propose a new malicious shellcode detection methodology in which they take snapshots of the process's virtual memory before input data are consumed, and feed the snapshots to a malicious shellcode detector. These snapshots are used to instantiate a runtime environment that emulates the target process's input data consumption to monitor shellcodes' behaviors.