RECON06 . A PLATFORM INDEPENDENT MULTI-CAVITY NOP VIRUS
Let me just give out some statistics here:
The basic unoptimized (for size) demo of the virus is about 1.5KB. This is just the academic version, written for
readability without concern for size constraints.
Nops in things:
- bash: 4517
- vim: 12045
- postgres for ia32 Linux: 19132
- Adobe Acrobat for ia32 Linux: 38680
- UninstallFirefox.exe: 38634
- autoruns.exe: 106995
- explorer.exe: 444859
- procexp.exe: 499631
- regedit.exe: 51453
- MRT.exe: 896286
- kernel32.dll: 12717
- msvcrt.dll: 65
- libc.so.6: 13450
From WindowsXP SP2 and Slackware 10.1.0
note1: remember that not all NOPs are usable since some may only be 1 byte and we need a minimum of 6 bytes to insert
one instruction and it's jump for the jump-chaining.
note2: freebsd uses 4-byte code alignment a lot of the time