Zobrazit v EDS

Identification of Arbitrary Length Shellcode for the Intel x64 Architecture as a NOP Sled

Uloženo v:
Podrobná bibliografie
Název: Identification of Arbitrary Length Shellcode for the Intel x64 Architecture as a NOP Sled
Autoři: Austin Norby, Bhaskar P. Rimal, Bramwell Brizendine
Zdroj: IEEE Access, Vol 13, Pp 65438-65454 (2025)
Informace o vydavateli: Institute of Electrical and Electronics Engineers (IEEE), 2025.
Rok vydání: 2025
Témata: Buffer overflow, vulnerability, NOP sled, emulation, shellcode, Electrical engineering. Electronics. Nuclear engineering, Ghidra, TK1-9971
Popis: A NOP (no-operation) sled is used as part of binary exploitation code to provide flexibility for exploitation accuracy and evade signatures before and after the exploitation has occurred and to transfer execution to the malicious code. The NOP sled requires that the code be executable and effectively “do nothing.” More specifically, “do nothing” means that the execution context is not disrupted to a point where the payload fails to execute. We enforce a zero-difference policy during validation for the components of the execution context we are analyzing. This paper uses the Ghidra reverse engineering tool to disassemble, emulate, and analyze a sequence of bytes to determine if they are an “effective NOP.” An effective NOP leaves the execution state unchanged after an arbitrary number of instructions. The execution state consists of a collection of registers and their values and a list of memory locations used. The proposed algorithm in this paper uses Ghidra to emulate instructions for NOP sleds and return a boolean true or false value based on the difference between the original and final execution context. The results from this paper are successful for the different types of constructed samples, polymorphic NOP sleds, and real-world data used to validate the artifact. We create an algorithm to calculate the differences between execution contexts, create an artifact to automatically process byte sequences to search for NOP sleds that satisfy our zero-difference policy, identify third-party NOP generators that did not produce NOP byte sequences that met this research’s standard and published the source code to an open-source repository.
Druh dokumentu: Article
ISSN: 2169-3536
DOI: 10.1109/access.2025.3560209
Přístupová URL adresa: https://doaj.org/article/525d48bf909a4637bd81d9fe91a97760
Rights: CC BY
Přístupové číslo: edsair.doi.dedup.....ddbc7e4cffb37ca3a8d55d7b938a27e6
Databáze: OpenAIRE
Popis
Abstrakt:A NOP (no-operation) sled is used as part of binary exploitation code to provide flexibility for exploitation accuracy and evade signatures before and after the exploitation has occurred and to transfer execution to the malicious code. The NOP sled requires that the code be executable and effectively “do nothing.” More specifically, “do nothing” means that the execution context is not disrupted to a point where the payload fails to execute. We enforce a zero-difference policy during validation for the components of the execution context we are analyzing. This paper uses the Ghidra reverse engineering tool to disassemble, emulate, and analyze a sequence of bytes to determine if they are an “effective NOP.” An effective NOP leaves the execution state unchanged after an arbitrary number of instructions. The execution state consists of a collection of registers and their values and a list of memory locations used. The proposed algorithm in this paper uses Ghidra to emulate instructions for NOP sleds and return a boolean true or false value based on the difference between the original and final execution context. The results from this paper are successful for the different types of constructed samples, polymorphic NOP sleds, and real-world data used to validate the artifact. We create an algorithm to calculate the differences between execution contexts, create an artifact to automatically process byte sequences to search for NOP sleds that satisfy our zero-difference policy, identify third-party NOP generators that did not produce NOP byte sequences that met this research’s standard and published the source code to an open-source repository.
ISSN:21693536
DOI:10.1109/access.2025.3560209