Yataglass: Network-Level Code Emulation for Analyzing Memory-Scanning Attacks

Abstract. Remote code-injection attacks are one of the most frequently used attacking vectors in computer security. To detect and analyze in-jected code (often called shellcode), some researchers have proposed network-level code emulators. A network-level code emulator can detect shellcode accurately and help analysts to understand the behavior of shellcode. We demonstrated that memory-scanning attacks can evade current emula-tors, and propose Yataglass, an elaborated network-level code emulator, that enables us to analyze shellcode that incorporates memory-scanning attacks. According to our experimental results, Yataglass successfully emulated and analyzed real shellcode into which we had manually incor-porated memory-scanning attacks