AthCon 2010 is now over and I must say that I’m really looking forward to next year’s event! Kudos to Christian, Kyprianos, Fotis, Chariton, Bernardo, Sandro, Iftach, Corrado, Rodrigo, Alberto and everyone else for making this such a great event!
The main theme of my presentation was “Context-keyed payload encoding”, a shellcode encoding technique that allows attackers to evade detection from NIDS that employ dynamic payload analysis.
The presentation covered the state-of-the-art in NIDS and Context-keying and featured Metasploit implementations for:
- a CPUID-based context-keyed payload encoder
- a time(2)-based context-keyed payload encoder
- a novel stat(2)-based context-keyed payload encoder
Below you may find the relevant whitepaper, presentation slides and Metasploit patch:
- Presentation whitepaper (pdf)
- Presentation slides (pdf)
- Metasploit patch (diff)
A usage example of the new payload encoders can be found in the whitepaper.
Update: The 3 encoders are now part of the Metasploit Framework (revision #9457). Many thanks to HD Moore and Joshua Drake!