Breaking Eggs And Making Omelettes

Topics On Multimedia Technology and Reverse Engineering


Foiling The call/ret Monitor

July 19th, 2005 by Multimedia Mike

In the grand tradition of arms races, I like to give equal time to counter-reverse engineering techniques. Colin Hill suggested an interesting way to cause trouble for my call/ret monitoring solution. Make functions that start with a long sequence of NOPs. Instead of calling the actual start address, load the starting address into a register and add a random number to the base address that still points into the NOP range. This would pollute the address space range in the output.

For die-hard, old school reverse engineers, this would also have the effect of creating paranoia of self-modifying code.

Posted in call/ret Monitor, Reverse Engineering | Comments Off on Foiling The call/ret Monitor

Comments are closed.