Browse > Article
http://dx.doi.org/10.13089/JKIISC.2012.22.3.691

Hiding Shellcode in the 24Bit BMP Image  

Kum, Young-Jun (Graduate School of Information Security, Korea University)
Choi, Hwa-Jae (Graduate School of Information Security, Korea University)
Kim, Huy-Kang (Graduate School of Information Security, Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.22, no.3, 2012 , pp. 691-705 More about this Journal
Abstract
Buffer overflow vulnerability is the most representative one that an attack method and its countermeasure is frequently developed and changed. This vulnerability is still one of the most critical threat since it was firstly introduced in middle of 1990s. Shellcode is a machine code which can be used in buffer overflow attack. Attackers make the shellcode for their own purposes and insert it into target host's memory space, then manipulate EIP(Extended Instruction Pointer) to intercept control flow of the target host system. Therefore, a lot of research to defend have been studied, and attackers also have done many research to bypass security measures designed for the shellcode defense. In this paper, we investigate shellcode defense and attack techniques briefly and we propose our new methodology which can hide shellcode in the 24bit BMP image. With this proposed technique, we can easily hide any shellcode executable and we can bypass the current detection and prevention techniques.
Keywords
ShellCode; Obfuscation;
Citations & Related Records
연도 인용수 순위
  • Reference
1 J. Lee, "History of Buffer Overflow," Hacker School, 2008, http://www.hackerschool.org/HS_Boards/data/Lib_system/History_of_Buffer_Overflow.pdf
2 A. One, "Smashing The Stack For Fun and Profit," Phrack, Vol.7, Nov. 1996, http://www.phrack.org/issues.html?issue=49&id=14
3 "Vulnerability distribution of cve security vulnerabilities by types," http://www.cvedetails.com/vulnerabilities-by-types.php
4 B. Martin, M. Brown, A. Paller and D. Kirby, "2011 CWE/SANS Top 25 Most Dangerous Software Errorsh," Common Weakness Enumeration, Sept. 2011, http://cwe.mitre.org/top25/
5 J. Ma, J. Dunagan, H. J. Wang, S. Savage and G. M. Voelker. "Finding Diversity in Remote Code Injection Exploits," Proceedings of the 6th ACM SIGCOMM conference on Internet measurement, pp. 53-64, Oct. 2006.
6 http://www.snort.org/snort
7 M. Polychronakis, K. G. Anagnostakis, and E. P. Markatos, "Network-level Polymorphic Shellcode Detection using Emulation," Proceedings of Detection of Intrusions and Malware & Vulnerability Assessment, Vol. 4064, pp. 54-73, 2006
8 M. Polychronakis, K. G. Anagnostakis and E. P. Markatos, "Emulation-based Detection of Non-self-contained Polymorphic Shellcode," Proceedings of the International Symposium on Recent Advances in Intrusion Detection, pp. 87-106, Sep. 2007
9 B. Gu, X. Bai, Zh. Yang, A. C. Champion and D. Xuan, "Malicious Shellcode Detection with Virtual Memory Snapshots," Proceedings of the IEEE INFOCOM, pp. 974-982, 2010
10 H. Shacham, M. Page, B. Pfaff, E. J. Goh, N. Modadugu and D. Boneh, "On the Effectiveness of Address Space Randomization," Proceedings of ACM Conference on Computer and Communications Security, pp. 298-307, Oct. 2004
11 C. Cowan, C. Pu, D. Maier, H. Hinton, P. Bakke, S. Beattie, A. Grier, P. Wagle and Q. Zhang, "Stackguard: Automatic Adaptive Detection and Prevention of Buffer-overflow Attacks," Proceedings of the USENIX Security Symposium, pp. 63-78, Jan. 1998
12 A. N. Sovarel, D. Evans and N. Paul, "Where's the FEEB? On the Effectiveness of Instruction Set Randomization," Proceedings of the USENIX Security Symposium, Vol. 14, pp. 10, Aug. 2005
13 http://www.metasploit.com/about/
14 S. Macaulay, "ADMMutate: Polymorphic Shellcode Engine", http://www.ktwo.ca/security.html
15 T. Detristan, T. Ulenspiegel, Y. Malcom and M. S. van Underduk, "Polymorphic Shellcode Engine Using Spectrum Analysis," Vol. 11, Phrack, Aug. 2003, http://www.phrack.org/issues.html?issue=61&id=9
16 T. Wana, "Writing UTF-8 Compatible Shellcodes," Phrack, Vol. 11, Sep. 2004, http://www.phrack.org/issues.html?issue=62&id=9
17 Y. Song, M. E. Locasto, A. Stavrou, A. D. Keromytis and S. J. Stolfo, "On the Infeasibility of Modeling Polymorphic Shellcode," In Proceedings of ACM Conference on Computer and Communications Security, pp. 541-551, Oct. 2007.
18 Rix, "Writing IA32 Alphanumeric Shellcode," Phrack, Vol. 11, Aug. 2001, http://www.phrack.org/issues.html?issue=57&id=15
19 Obscou, "Building IA32 Unicode-Proof Shellcodes," Phrack, Vol. 11, Aug. 2003, http://www.phrack.org/issues.html?issue=61&id=11
20 J. Mason, S. Small, "English Shellcode," Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 524-533, Nov. 2009.
21 Q. Zhang, D.S. Reeves, P. Ning and S.P. Lyer, "Analyzing Network Traffic to Detect Self-decrypting Exploit Code," Procddeings of the ACM Symp. on Information, Computer and Commun. Security, pp. 4-12 , Mar. 2007.