x64 jrgon: NOP slide, NOP ramp

NOP slide

  • purpose: prevent code crashing, when a malware doesn’t know exactly where its own code will reside in RAM
  • the NOP slide is repeated 0x90 bytes, meaning NOP
  • NOP doesn’t change machine state in any way – no CPU flags get changed, no dirties registers
  • thus NOP suits perfectly for this sort of ‘stuffing’ where the purpose is simply to ensure IP starts eating bytes
  • guide IP (instruction pointer) to correct sequence of bytes to be interpreted as mnemonics
  • without NOP slide?
  • crashing would occur
  • IP would land on in-middle of a Intel assembly sequence
  • let’s say that we have
  • Let’s say we have 5 “sequences” of operations, encoded as: 324551 sequence, consecutively as follows: AAABBCCCCDDDDDEEEEEF
    • A is a MOV, worth 3 bytes
    • B is something else, 2 bytes
    • C is 4-byte
    • D is 5-byte
    • E is also 5-byte
    • F is a ‘RET’, ‘NOP’ or similar; length 1 byte
  • NOP is hex 0x90, thus 1 byte length also
  • is there a optimal length of NOPs duped (0x90) when doing a NOP slide?
  • NOP slide is a prefix to memory area of the payload execution
  • real world occurrences?
  • a NOP slide detection by AVs is easy
  • obfuscated NOP slides (NOP ramps) are used thus in real world malware
  • even with a NOP sled, the approximate location of the buffer that will be executed by CPU, in memory, must be predicted in advance
  • one technique for approximating the memory location of is to use nearby stack location as a frame of reference
  • by subtracting an offset from this location, the relative address of any variable can be obtained

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: