Conference Proceeding Article
Return-oriented programming (ROP) is an attack that has been shown to be able to circumvent W ⊕ X protection. However, it was not clear if ROP can be made as powerful as non-ROP malicious code in other aspects, e.g., be packed to make static analysis difficult, be printable to evade non-ASCII filtering, be polymorphic to evade signature-based detection, etc. Research in these potential advances in ROP is important in designing counter-measures. In this paper, we show that ROP code could be packed, printable, and polymorphic. We demonstrate this by proposing a packer that produces printable and polymorphic ROP code. It works on virtually any unpacked ROP code and produces packed code that is self-contained. We implement our packer and demonstrate that it works on both Windows XP and Windows 7 platforms.
Return-oriented programming, packer, printable shellcode, polymorphic malware
Information Security and Trust
Recent Advances in Intrusion Detection: 14th International Symposium on Recent Advances in Intrusion Detection (RAID 2011)
City or Country
Menlo Park, CA
LU, Kangjie; Zou, Dabi; Wen, Weiping; and GAO, Debin.
Packed, Printable, and Polymorphic Return-Oriented Programming. (2011). Recent Advances in Intrusion Detection: 14th International Symposium on Recent Advances in Intrusion Detection (RAID 2011). 6961, 101-120. Research Collection School Of Information Systems.
Available at: http://ink.library.smu.edu.sg/sis_research/2004
Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 4.0 License.