Conclusion

While the use of context-keyed payload encoders likely won't prevent a dedicated forensic analyst from successfully performing an off-line analysis of an exploit's encoded payload, the system it was targeting, and the target application in an attempt to discover the key value used, use of the contextual keying technique will prevent an automated system from decoding the payload in real-time if it does not have access to, or an automated method of constructing, an adequate memory map of the target from which to retrieve the key.

As systems hardware technology and software capability continue to improve, network security and monitoring systems will likely begin to join the few currently existing systems[5, 2-4][4] that attempt to perform this type of real-time analysis of suspected network exploit traffic, and more specifically, exploit payloads.

• Acknowledgments