Presentation is loading. Please wait.

Presentation is loading. Please wait.

.NET Reversing The Framework, the Myth, the Legend (waffle edition)

Similar presentations

Presentation on theme: ".NET Reversing The Framework, the Myth, the Legend (waffle edition)"— Presentation transcript:

1 .NET Reversing The Framework, the Myth, the Legend (waffle edition)

2 What I do have are a very particular set of skills I do appsec for financial companies Not a consultant Not here on behalf of any employer Wrote my first app in Qbasic Microsoft 4 lyfe wut wut Curator of Staring at the sun made me crazy

3 Why.NET? Current state of Java security

4 Pool’s closed Source:

5 .NET – Common Language Infrastructure Common Language Infrastructure Thanks, Wikipedia

6 Common Intermediate Language private void button1_Click(object sender, EventArgs e) { MessageBox.Show("I am in a hell of my own creation"); }.method private hidebysig instance void button1_Click ( object sender, class [mscorlib]System.EventArgs e ) cil managed { // Method begins at RVA 0x221f // Code size 13 (0xd).maxstack 8 IL_0000: nop IL_0001: ldstr "I am in a hell of my own creation" IL_0006: call valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string) IL_000b: pop IL_000c: ret } // end of method Form1::button1_Click

7 .NET PE File Format

8 PE Format - Metadata Streams #~ (metadata stream) Predefined content and structure Contains types, methods, fields, properties and events #Strings Namespace, type, and member names #US (user string heap) All strings embedded in source #GUID Unique identifier #Blob (binary data heap) Method signatures, generic instantiations

9 The #~ Stream: Metadata Tables 0×2: TypeDef 0×4: FieldDef 0×6: MethodDef 0×14: EventDef 0×17: PropertyDef Types, fields, methods, events and properties 0×1: TypeRef Referenced types defined in other assemblies 0xa: MemberRef Referenced members of types defined in other assemblies. 0×9: InterfaceImpl Defined types and the interfaces that type implements 0xc: CustomAttribute Info on attributes applied to elements in the assembly 0×18: MethodSemantics Links properties and events with the methods that comprise the get/set or add/remove methods of the property or method. 0x1b: TypeSpec 0x2b: MethodSpec Instantiations of generic types and methods

10 Browsing a.NET PE: CFF Explorer #~: MethodDef tables

11 # Strings Tables

12 I Love Belgium This Much

13 I heard you like mudkips obfuscators

14 :( :| …I’ll just leave this here

15 Overcoming Obfuscation Symbol Renaming Not possible if the original symbols are not in the assembly Can convert unprintable names to something resembling English Decryption Removal of proxy code / junk classes Removal of tamper detection Move methods back to their original classes “Sometimes, dead is better.”

16 Proof of Concept: Reversing Reflector

17 Goal: Add new functionality to existing binary To Do: Remove strong name singing to permit modification Identify where toolbar is created and icons defined Create new icon Locate event handler for icon click event Create new event handler Inject DLL containing our new functionality Have our new event handler reference this code

18 Strong Name Signing

19 Locating toolbar

20 Adding new toolbar icon: Injecting IL

21 Toolbar, continued: new IL IL_01ae: ldarg.0 IL_01af: ldarg.1 IL_01b0: call class [System.Drawing]System.Drawing.Image ns36.Class476::get_Nyan() IL_01b5: ldstr "Nyan!" IL_01ba: ldc.i4.0 IL_01bb: ldstr "Application.Nyan" IL_01c0: call instance void ns30.Class269::method_29(class Reflector.ICommandBar, class [S ystem.Drawing]System.Drawing.Image, string, valuetype [System.Windows.Forms]System.Windows.For ms.Keys, string) IL_01c5: ldarg.1 IL_01c6: callvirt instance class Reflector.ICommandBarItemCollection Reflector.ICommandBar::get_Items() IL_01cb: callvirt instance class Reflector.ICommandBarSeparator Reflector.ICommandBarItemCollection::AddSeparator() IL_01d0: pop

22 Toolbar continued: Modifying inline resource

23 Locating event handler private void method_26(ICommandBar toolBar) { if (toolBar != null) {voidmethod_26ICommandBar Class511 typedService = (Class511) this.GetTypedService ();Class511 GetTypedServiceILanguageManager this.method_29(toolBar, Class476.Back, "&Back", Keys.Alt | Keys.Left, "AssemblyBrowser.GoBack");method_29Class476BackKeysAltKeysLeft toolBar.Items.AddSeparator();ItemsAddSeparator this.method_29(toolBar, Class476.Open, "&Open...", Keys.Control | Keys.O, "Application.OpenFile");method_29Class476OpenKeysControlKeysO … toolBar.Items.AddSeparator();ItemsAddSeparator this.method_29(toolBar, Class476.Nyan, "Nyan!", Keys.None, "Application.Nyan");method_29Class476NyanKeysNone toolBar.Items.AddSeparator();ItemsAddSeparator }

24 Event handler, continued public void Execute(string commandName)voidExecutestring { stringstring key = commandName; if (key != null) { intint num; if (Class722.dictionary_4 == null)Class722dictionary_4 { DictionaryDictionary dictionary1 = new Dictionary (0x10);stringintDictionarystringint dictionary1.Add("Application.OpenFile", 0);Add dictionary1.Add("Application.OpenCache", 1);Add dictionary1.Add("Application.OpenList", 2);Add dictionary1.Add("Application.CloseFile", 3);Add … Class722Class722.dictionary_4 = dictionary1;dictionary_4 } if (Class722.dictionary_4.TryGetValue(key, out num))Class722dictionary_4TryGetValue { switch (num) { case 0: this.method_45(); break;method_45 case 1: this.method_46(); break;method_46 case 2: this.method_47(); break;method_47 … }

25 Adding IL to Execute() IL_00c1: ldc.i4.s 13 IL_00c3: call instance void class [mscorlib]System.Collections.Generic.Dictionary`2 ::Add(!0, !1) IL_00c8: dup IL_00c9: ldstr "Application.Deactivate" IL_00ce: ldc.i4.s 14 IL_00d0: call instance void class [mscorlib]System.Collections.Generic.Dictionary`2 ::Add(!0, !1) IL_00d5: dup IL_00d6: ldstr "Application.Nyan" IL_00db: ldc.i4.s 15 IL_00dd: call instance void class [mscorlib]System.Collections.Generic.Dictionary`2 ::Add(!0, !1) … IL_01b8: ldarg.0 IL_01b9: call instance void ns30.Class269::method_65() IL_01be: leave.s IL_01c8 IL_01c0: ldarg.0 IL_01c1: call instance void ns30.Class269::nyan() IL_01c6: leave.s IL_01c8

26 Creating ns30.Class269::nyan()

27 ns30.Class269::nyan() CIL.method private hidebysig instance void nyan () cil managed {.maxstack 8 IL_0000: newobj instance void [derp]derp.hurr::.ctor() IL_0005: callvirt instance void [derp]derp.hurr::showForm() IL_000a: ret private void nyan() { new hurr().showForm(); } Where are these classes implemented?

28 Adding new DLL to Reflector

29 …aaaaaand we’re done Let’s launch it.

30 References and Resources Anatomy of a.NET Assembly CFF Explorer – PE Browser ILSpy Decompiler RedGate (SmartAssembly, Reflector, Obfuscation Checker) Reflexil – RedGate plugin for CIL injection CodeSearch – RedGate plugin, does what it says De4dot Deobfuscator

31 Questions? Twitter: @aloria Email: Blog: http://jukt-micronics.com Special thanks to: AP, CS, CV, BN, DDZ, EK, RL, SR, ZC, ZL and the fine folks at CompuServe for inventing GIF89a

Download ppt ".NET Reversing The Framework, the Myth, the Legend (waffle edition)"

Similar presentations

Ads by Google