RECON06 . A PLATFORM INDEPENDENT MULTI-CAVITY NOP VIRUS
- » The key observation that Jack made is that, in executables, between functions there are groupings of NOP instructions used for padding the function to an aligned boundary.
- » For data alignment 0x00 is used but for code alignment 0x90 (NOP) is used; so it's easy to find these areas for infections AND we know that these 0x90's are always in the executable segment.
- » We can overwrite these NOP instructions with our own code.