Shellzer: a tool for the dynamic analysis of malicious shellcode

  • Authors:

  • Yanick Fratantonio;Christopher Kruegel;Giovanni Vigna

  • Affiliations:

  • Politecnico di Milano, Italy;University of California, Santa Barbara;University of California, Santa Barbara

  • Venue:
  • RAID'11 Proceedings of the 14th international conference on Recent Advances in Intrusion Detection
  • Year:
  • 2011

Quantified Score

Hi-index 0.00

Visualization

Abstract

Shellcode is malicious binary code whose execution is triggered after the exploitation of a vulnerability. The automated analysis of malicious shellcode is a challenging task, since encryption and evasion techniques are often used. This paper introduces Shellzer, a novel dynamic shellcode analyzer that generates a complete list of the API functions called by the shellcode, and, in addition, returns the binaries retrieved at run-time by the shellcode. The tool is able to modify on-the-fly the arguments and the return values of certain API functions in order to simulate specific execution contexts and the availability of the external resources needed by the shellcode. This tool has been tested with over 24,000 real-world samples, extracted from both web-based drive-by-download attacks and malicious PDF documents. The results of the analysis show that Shellzer is able to successfully analyze 98% of the shellcode samples.