|)ruid wrote an interesting paper for the most recent Uninformed Journal, on context-keyed payloading encoding. This is essentially the act of encoding a payload to an exploit based on the context of the target system. This effectively removes the decoding key from the decoding stub itself causing inline inspection engines a significant amount of difficulty. If the engine can't properly analyze the context of the environment in which the code is going to run, in real-time, it will be impossible to decode the payload for IPS based blocking of the attempted attack. Interesting read. Now if the IPS has access to the target environment for contextual analysis, it is theoretically possible to create a system that sandboxes the code, executes and analyzes it for the de-obfuscation stub and eventually is able to retrieve and review the actual exploit code. I wonder when the IPS vendors out there will consider taking this into account in their engines. It appears to be a battle that is yet to be waged.

Good research and a good read. If you haven't read the rest of the Uninformed Journal content, I highly advise it. Always a great read.