Presentation is loading. Please wait.

Presentation is loading. Please wait.

.NET Reversing The Framework, the Myth, the Legend (waffle edition)

Published byMariano Brady Modified over 10 years ago

Similar presentations

Presentation on theme: ".NET Reversing The Framework, the Myth, the Legend (waffle edition)"— Presentation transcript:

1 .NET Reversing The Framework, the Myth, the Legend (waffle edition)

2 What I do have are a very particular set of skills I do appsec for financial companies Not a consultant Not here on behalf of any employer Wrote my first app in Qbasic Microsoft 4 lyfe wut wut Curator of securityreactions.tumblr.com Staring at the sun made me crazy

3 Why.NET? Current state of Java security

4 Pool’s closed Source: http://www.veracode.com/blog/2013/04/the-history-of-programming-languages-infographic/http://www.veracode.com/blog/2013/04/the-history-of-programming-languages-infographic/

5 .NET – Common Language Infrastructure Common Language Infrastructure Thanks, Wikipedia

6 Common Intermediate Language private void button1_Click(object sender, EventArgs e) { MessageBox.Show("I am in a hell of my own creation"); }.method private hidebysig instance void button1_Click ( object sender, class [mscorlib]System.EventArgs e ) cil managed { // Method begins at RVA 0x221f // Code size 13 (0xd).maxstack 8 IL_0000: nop IL_0001: ldstr "I am in a hell of my own creation" IL_0006: call valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string) IL_000b: pop IL_000c: ret } // end of method Form1::button1_Click

7 .NET PE File Format

8 PE Format - Metadata Streams #~ (metadata stream) Predefined content and structure Contains types, methods, fields, properties and events #Strings Namespace, type, and member names #US (user string heap) All strings embedded in source #GUID Unique identifier #Blob (binary data heap) Method signatures, generic instantiations

9 The #~ Stream: Metadata Tables 0×2: TypeDef 0×4: FieldDef 0×6: MethodDef 0×14: EventDef 0×17: PropertyDef Types, fields, methods, events and properties 0×1: TypeRef Referenced types defined in other assemblies 0xa: MemberRef Referenced members of types defined in other assemblies. 0×9: InterfaceImpl Defined types and the interfaces that type implements 0xc: CustomAttribute Info on attributes applied to elements in the assembly 0×18: MethodSemantics Links properties and events with the methods that comprise the get/set or add/remove methods of the property or method. 0x1b: TypeSpec 0x2b: MethodSpec Instantiations of generic types and methods

10 Browsing a.NET PE: CFF Explorer #~: MethodDef tables

11 # Strings Tables

12 I Love Belgium This Much

13 I heard you like mudkips obfuscators

14 :( :| …I’ll just leave this here

15 Overcoming Obfuscation Symbol Renaming Not possible if the original symbols are not in the assembly Can convert unprintable names to something resembling English Decryption Removal of proxy code / junk classes Removal of tamper detection Move methods back to their original classes “Sometimes, dead is better.”

16 Proof of Concept: Reversing Reflector

17 Goal: Add new functionality to existing binary To Do: Remove strong name singing to permit modification Identify where toolbar is created and icons defined Create new icon Locate event handler for icon click event Create new event handler Inject DLL containing our new functionality Have our new event handler reference this code

18 Strong Name Signing

19 Locating toolbar

20 Adding new toolbar icon: Injecting IL

21 Toolbar, continued: new IL IL_01ae: ldarg.0 IL_01af: ldarg.1 IL_01b0: call class [System.Drawing]System.Drawing.Image ns36.Class476::get_Nyan() IL_01b5: ldstr "Nyan!" IL_01ba: ldc.i4.0 IL_01bb: ldstr "Application.Nyan" IL_01c0: call instance void ns30.Class269::method_29(class Reflector.ICommandBar, class [S ystem.Drawing]System.Drawing.Image, string, valuetype [System.Windows.Forms]System.Windows.For ms.Keys, string) IL_01c5: ldarg.1 IL_01c6: callvirt instance class Reflector.ICommandBarItemCollection Reflector.ICommandBar::get_Items() IL_01cb: callvirt instance class Reflector.ICommandBarSeparator Reflector.ICommandBarItemCollection::AddSeparator() IL_01d0: pop

22 Toolbar continued: Modifying inline resource

23 Locating event handler private void method_26(ICommandBar toolBar) { if (toolBar != null) {voidmethod_26ICommandBar Class511 typedService = (Class511) this.GetTypedService ();Class511 GetTypedServiceILanguageManager this.method_29(toolBar, Class476.Back, "&Back", Keys.Alt | Keys.Left, "AssemblyBrowser.GoBack");method_29Class476BackKeysAltKeysLeft toolBar.Items.AddSeparator();ItemsAddSeparator this.method_29(toolBar, Class476.Open, "&Open...", Keys.Control | Keys.O, "Application.OpenFile");method_29Class476OpenKeysControlKeysO … toolBar.Items.AddSeparator();ItemsAddSeparator this.method_29(toolBar, Class476.Nyan, "Nyan!", Keys.None, "Application.Nyan");method_29Class476NyanKeysNone toolBar.Items.AddSeparator();ItemsAddSeparator }

24 Event handler, continued public void Execute(string commandName)voidExecutestring { stringstring key = commandName; if (key != null) { intint num; if (Class722.dictionary_4 == null)Class722dictionary_4 { DictionaryDictionary dictionary1 = new Dictionary (0x10);stringintDictionarystringint dictionary1.Add("Application.OpenFile", 0);Add dictionary1.Add("Application.OpenCache", 1);Add dictionary1.Add("Application.OpenList", 2);Add dictionary1.Add("Application.CloseFile", 3);Add … Class722Class722.dictionary_4 = dictionary1;dictionary_4 } if (Class722.dictionary_4.TryGetValue(key, out num))Class722dictionary_4TryGetValue { switch (num) { case 0: this.method_45(); break;method_45 case 1: this.method_46(); break;method_46 case 2: this.method_47(); break;method_47 … }

25 Adding IL to Execute() IL_00c1: ldc.i4.s 13 IL_00c3: call instance void class [mscorlib]System.Collections.Generic.Dictionary`2 ::Add(!0, !1) IL_00c8: dup IL_00c9: ldstr "Application.Deactivate" IL_00ce: ldc.i4.s 14 IL_00d0: call instance void class [mscorlib]System.Collections.Generic.Dictionary`2 ::Add(!0, !1) IL_00d5: dup IL_00d6: ldstr "Application.Nyan" IL_00db: ldc.i4.s 15 IL_00dd: call instance void class [mscorlib]System.Collections.Generic.Dictionary`2 ::Add(!0, !1) … IL_01b8: ldarg.0 IL_01b9: call instance void ns30.Class269::method_65() IL_01be: leave.s IL_01c8 IL_01c0: ldarg.0 IL_01c1: call instance void ns30.Class269::nyan() IL_01c6: leave.s IL_01c8

26 Creating ns30.Class269::nyan()

27 ns30.Class269::nyan() CIL.method private hidebysig instance void nyan () cil managed {.maxstack 8 IL_0000: newobj instance void [derp]derp.hurr::.ctor() IL_0005: callvirt instance void [derp]derp.hurr::showForm() IL_000a: ret private void nyan() { new hurr().showForm(); } Where are these classes implemented?

28 Adding new DLL to Reflector

29 …aaaaaand we’re done Let’s launch it.

30 References and Resources Anatomy of a.NET Assembly https://www.simple-talk.com/blogs/2011/03/16/anatomy-of-a-net-assembly-clr-metadata-1/ CFF Explorer – PE Browser http://www.ntcore.com/exsuite.php ILSpy Decompiler http://ilspy.net/ RedGate (SmartAssembly, Reflector, Obfuscation Checker) http://www.red-gate.com/products/dotnet-development/ Reflexil – RedGate plugin for CIL injection http://reflexil.net/ CodeSearch – RedGate plugin, does what it says http://reflectoraddins.codeplex.com/wikipage?title=CodeSearch De4dot Deobfuscator https://bitbucket.org/0xd4d/de4dot/

31 Questions? Twitter: @aloria Email: george.sims@jukt-micronics.comgeorge.sims@jukt-micronics.com Blog: http://jukt-micronics.comhttp://jukt-micronics.com Special thanks to: AP, CS, CV, BN, DDZ, EK, RL, SR, ZC, ZL and the fine folks at CompuServe for inventing GIF89a

Download ppt ".NET Reversing The Framework, the Myth, the Legend (waffle edition)"

Similar presentations

By Sam Nasr September 28, 2004 Understanding MSIL.

By Sam Nasr September 28, 2004 Understanding MSIL.
.NET Framework Overview

.NET Framework Overview
Chapter 1 IDE and Tools for Developing CLR-based Programs Yingcai Xiao.

Chapter 1 IDE and Tools for Developing CLR-based Programs Yingcai Xiao.
 2007 Dr. Natheer Khasawneh. Chapter 13. Graphical User Interface Concepts: Part 1.

 2007 Dr. Natheer Khasawneh. Chapter 13. Graphical User Interface Concepts: Part 1.
Performance evaluation of plagiarism detection method based on the intermediate language Vedran Juričić Tereza Jurić Marija Tkalec.

Performance evaluation of plagiarism detection method based on the intermediate language Vedran Juričić Tereza Jurić Marija Tkalec.
.NET IL Obfuscation Presented by: Sarath Chandra Dorbala.

.NET IL Obfuscation Presented by: Sarath Chandra Dorbala.
Disassembling for Fun Jason Haley. Who is this guy?  Certifiable (MCSD.net certified that is)  Blog –

Disassembling for Fun Jason Haley. Who is this guy?  Certifiable (MCSD.net certified that is)  Blog –
George Blank University Lecturer. CS 602 Java and the Web Object Oriented Software Development Using Java Chapter 4.

George Blank University Lecturer. CS 602 Java and the Web Object Oriented Software Development Using Java Chapter 4.
Oct 31, 2000Database Management -- Fall 2000 -- R. Larson Database Management: Introduction to Terms and Concepts University of California, Berkeley School.

Oct 31, 2000Database Management -- Fall R. Larson Database Management: Introduction to Terms and Concepts University of California, Berkeley School.
Advanced Object-Oriented Programming Features

Advanced Object-Oriented Programming Features
C# Programming: From Problem Analysis to Program Design1 Advanced Object-Oriented Programming Features C# Programming: From Problem Analysis to Program.

C# Programming: From Problem Analysis to Program Design1 Advanced Object-Oriented Programming Features C# Programming: From Problem Analysis to Program.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Using and Building an Automatic Program Verifier K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Lecture 5 LASER.

Using and Building an Automatic Program Verifier K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Lecture 5 LASER.
Introducing the Common Language Runtime for.NET. The Common Language Runtime The Common Language Runtime (CLR) The Common Language Runtime (CLR) –Execution.

Introducing the Common Language Runtime for.NET. The Common Language Runtime The Common Language Runtime (CLR) The Common Language Runtime (CLR) –Execution.
ASP.NET Programming with C# and SQL Server First Edition

ASP.NET Programming with C# and SQL Server First Edition
Introducing the Common Language Runtime. The Common Language Runtime The Common Language Runtime (CLR) The Common Language Runtime (CLR) –Execution engine.

Introducing the Common Language Runtime. The Common Language Runtime The Common Language Runtime (CLR) The Common Language Runtime (CLR) –Execution engine.
.NET Attributes and Reflection “What a developer needs to know……” Dan Douglas Blog:

.NET Attributes and Reflection “What a developer needs to know……” Dan Douglas Blog:
1 An Introduction to Visual Basic 2005. 2 Objectives Explain the history of programming languages Define the terminology used in object-oriented programming.

1 An Introduction to Visual Basic Objectives Explain the history of programming languages Define the terminology used in object-oriented programming.
1 Web Services Visual C# 2008 Step by Step Chapter 30.

1 Web Services Visual C# 2008 Step by Step Chapter 30.
Lecture Roger Sutton CO530 Automation Tools 5: Class Libraries and Assemblies 1.

Lecture Roger Sutton CO530 Automation Tools 5: Class Libraries and Assemblies 1.

Similar presentations

Ads by Google