This paper is mainly relevant to the previous static analysis exploit code detection approaches[4,3,6]. One benefit of these static analysis approaches is that they can detect
both foreseen exploit code exploiting known vulnerabilities
and zero-day exploit code exploiting unknown vulnerabilities.
In addition, they are in general more resilient to polymorphism and
metamorphism (than string-matching signatures).
However, Polychronakis et al. [5] demonstrated that
some anti-static-analysis techniques such as self-modifying and
indirect jump can easily thwart these existing static analysis
techniques.
Polychronakis et al. [5] firstly proposed a CPU emulator to
detect polymorphic shellcode. The emulators, being a dynamic
analyzer, are immune to most anti-static-analysis techniques.
However, dynamic analysis is vulnerable to several anti-emulation
techniques, which have existed in virus writer community for many
years. Motivated by [5], we proposed STILL, which is robust
to both anti-static-analysis and anti-emulation techniques.
xinran wang
2008-02-28