Yet Another Heapspray Detector

ShmooCon VII - 2011

Presented by: Daniel Kovach
Date: Saturday January 29, 2011
Time: 12:00 - 13:00
Location: Build It room
Track: Build It!

Many attempts have been made to determine the existence of a heap spray attack, but when we consider their efficacy vs. their run time performance, most fall short. In this paper, we introduce a new technique that differs from the others. We treat heap spray detection as a signal processing problem. We examine process memory as a signal that maps to the interval [0, 256). The number of times each value is seen in memory is collected into a histogram in the preprocessing stage at certain intervals of program execution. This histogram has a certain characteristic distribution at each slice. The shellcode contained in the heap spray will therefore offset this distribution. We can detect such an upset by taking a Fourier transform of the concatenated histograms, or examining their numerical properties. We have found this technique to be quite successful. It runs efficiently, and has the potential to be optimized even further.

Daniel Kovach

I am from Fl. I got interested in Math and computers at a very early age. Stuff I Enjoy: martial arts, bodybuilding, hexadecimal numbers, nerdy jokes that have to do with binary or hex, and copious amounts of alcohol. I am a (statistical) vegetarian and have a morbid fear of zombies.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats