Identification of Arbitrary Length Shellcode for the Intel x64 Architecture as a NOP Sled

Identification of Arbitrary Length Shellcode for the Intel x64 Architecture as a NOP Sled

Blog Article

A NOP (no-operation) sled is used as part of binary exploitation code to provide flexibility for exploitation accuracy and evade signatures before and after the exploitation has occurred and to transfer execution to the malicious code.The NOP sled requires that the code be executable and Beach towels effectively “do nothing.” More specifically, “do nothing” means that the execution context is not disrupted to a point where the payload fails to execute.We enforce a zero-difference policy during validation for the components of the execution context we are analyzing.This paper uses the Ghidra reverse engineering tool to disassemble, emulate, and analyze a sequence of bytes to determine if they are an “effective NOP.

” An effective NOP leaves the execution state unchanged after an arbitrary number of instructions.The execution state consists of a collection of registers and their values and a list of memory locations used.The proposed algorithm in this paper uses Ghidra to emulate instructions for NOP sleds and return a boolean true or false value based on the difference between the original and final execution context.The results from this paper are successful for the different types of constructed TOFU SHIR FETTUCCINE NOODLES samples, polymorphic NOP sleds, and real-world data used to validate the artifact.We create an algorithm to calculate the differences between execution contexts, create an artifact to automatically process byte sequences to search for NOP sleds that satisfy our zero-difference policy, identify third-party NOP generators that did not produce NOP byte sequences that met this research’s standard and published the source code to an open-source repository.