However, wouldn’t this kind of heuristic be extremely simple to counter by obfuscating the machine code, e.g. by inserting complex noops and using threaded subroutines which individually look innocuous? Or, are this kind of techniques looking at known syscall patterns or something like that, and ignoring the general program flow?
To me, regex doesn’t seem applicable to static analysis of machine code, but what do I know :)
However, wouldn’t this kind of heuristic be extremely simple to counter by obfuscating the machine code, e.g. by inserting complex noops and using threaded subroutines which individually look innocuous? Or, are this kind of techniques looking at known syscall patterns or something like that, and ignoring the general program flow?
To me, regex doesn’t seem applicable to static analysis of machine code, but what do I know :)