NOP slide

• purpose: prevent code crashing, when a malware doesn’t know exactly where its own code will reside in RAM
• the NOP slide is repeated 0x90 bytes, meaning NOP
• NOP doesn’t change machine state in any way – no CPU flags get changed, no dirties registers
• thus NOP suits perfectly for this sort of ‘stuffing’ where the purpose is simply to ensure IP starts eating bytes
• guide IP (instruction pointer) to correct sequence of bytes to be interpreted as mnemonics
• without NOP slide?
• crashing would occur
• IP would land on in-middle of a Intel assembly sequence
• let’s say that we have
• Let’s say we have 5 “sequences” of operations, encoded as: 324551 sequence, consecutively as follows: AAABBCCCCDDDDDEEEEEF
  • A is a MOV, worth 3 bytes
  • B is something else, 2 bytes
  • C is 4-byte
  • D is 5-byte
  • E is also 5-byte
  • F is a ‘RET’, ‘NOP’ or similar; length 1 byte
• NOP is hex 0x90, thus 1 byte length also
• is there a optimal length of NOPs duped (0x90) when doing a NOP slide?
• NOP slide is a prefix to memory area of the payload execution
• real world occurrences?
• a NOP slide detection by AVs is easy
• obfuscated NOP slides (NOP ramps) are used thus in real world malware
• even with a NOP sled, the approximate location of the buffer that will be executed by CPU, in memory, must be predicted in advance
• one technique for approximating the memory location of is to use nearby stack location as a frame of reference
• by subtracting an offset from this location, the relative address of any variable can be obtained