Didier Stevens

Friday 27 July 2012

My BlueHat Prize Entry: CounterHeapSpray

Filed under: My Software,Shellcode — Didier Stevens @ 10:24

Congratulations to the winners of the BlueHat Prize contest.

My entry was CounterHeapSpray:

CounterHeapSpray monitors the private memory usage of an application to guard against heap  sprays. When the private memory usage of the application exceeds a predefined threshold,  CounterHeapSpray assumes that a heap spray is ongoing and will pre-allocate virtual memory pages  and populate these pages with its own shellcode. When the heap spray terminates and the exploit  executes, code execution will transfer to CounterHeapSpray’s own shellcode. This shellcode will  suspend all threads and display a warning message for the user. When the user clicks OK,  CounterHeapSpray’s shellcode terminates the application.
By planting its own shellcode before the heap spray can fill the heap with malicious shellcode,  CounterHeapSpray not only prevents execution of this malicious shellcode but is able to suspend the process and to inform the user of the attack.

CounterHeapSpray.zip (https)
MD5: 1947380F935AE0B1A8828DE79621F82F
SHA256: CA0BF635655EE05ABED117C858BC86ECDF3EBB4C39544D7D0C396D7C457F1BBC

Blog at WordPress.com.