POSTED BY: Dimitrios Glynos / 04.06.2010

Context keyed payload encoding - AthCon 2010 update

AthCon 2010 is now over and I must say that I’m really looking forward to next year’s event! Kudos to Christian, Kyprianos, Fotis, Chariton, Bernardo, Sandro, Iftach, Corrado, Rodrigo, Alberto and everyone else for making this such a great event!

The main theme of my presentation was “Context-keyed payload encoding”, a shellcode encoding technique that allows attackers to evade detection from NIDS that employ dynamic payload analysis.

The presentation covered the state-of-the-art in NIDS and Context-keying and featured Metasploit implementations for:

a CPUID-based context-keyed payload encoder
a time(2)-based context-keyed payload encoder
a novel stat(2)-based context-keyed payload encoder

Below you may find the relevant whitepaper, presentation slides and Metasploit patch:

Presentation whitepaper (pdf)
Presentation slides (pdf)
Metasploit patch (diff)

A usage example of the new payload encoders can be found in the whitepaper.

Update: The 3 encoders are now part of the Metasploit Framework (revision #9457). Many thanks to HD Moore and Joshua Drake!

Tags: athcon , conference , context-keyed payload encoding , metasploit , nids , security , talk

Company News

Advisories

Blog

Context keyed payload encoding - AthCon 2010 update

LATEST ADVISORIES

IN THE NEWS

Context keyed payload encoding - AthCon 2010 update

Share this

LATEST ADVISORIES

IN THE NEWS