Overview
Syllabus
Intro
Signature Based IDS
Limitations of Signature based NIDS Anachers change a byte of the payload and evade detection
Emulation-Based NIDS, a Giant Leap
How Emulation Based NIDS Works?
Pre-Processing
Basic Heuristics Detection
Additional Heuristics
Syscall Process Memory Scanning
Evasions
Intrinsic Limitations
Unavailable Context Data
Context Keyed Payload Encoding
Execution Threshold Random Decryption Algorithm (RDA)
Fragmentation
Implementation Limitations
Kernel32.dll Resolution Heuristic Evasion
Evading Kernel32.dll Heuristic using SEH Chain
Kernel32.dll Heuristic Evasion using Stack Frame Walking
Stack Constructing Shellcode GetPC+PRT evasion
Egg Hunt (Using API)
Heuristics Evasion Demo
Timing
Emulator Detection Demo
Anti-Disassembly
Unsupported Instructions
Question?
Taught by
Black Hat