The word “shellcode” is used to refer generally to malicious software written in assembly language. Attackers rely upon execution of shellcode on a host computer as one way of attempting to gain control over one or more aspects of the host computer. Shellcode can be embedded in machine code such as downloaded files.
Various mechanisms are relied upon to prevent attacks based upon execution of shellcode on computers. One mechanism used to identify shellcode includes shellcode scanners, which are used to scan machine instructions, memory, virtual memory, memory devices, and the like, for shellcode. The shellcode scanners search machine instructions for patterns or sequences of machine instructions, also referred to as shellcode “signatures”. For example, shellcode scanners may search for specific sequences of masked bytes of machine instructions via binary pattern matching methods, which may be known to be associated with shellcode.
While the above-described shellcode scanners are relatively effective in recognizing shellcode, these scanners also may falsely identify harmless code as shellcode, thereby resulting in false positive shellcode findings. For example, analyzed machine code may contain a benign byte sequence in a non-image region that some shellcode scanners may mistakenly detect as malicious code. If only a traditional shellcode scanner is used to analyze this machine code, this benign byte sequence may be deleted or quarantined, or may trigger manual review to determine if the byte sequence actually is malicious. Thus, valuable computer and/or human resources may be wasted evaluating harmless code.
It is with respect to these and other considerations that the disclosure made herein is presented.