1 / 31

.NET Reversing

.NET Reversing. The Framework, the Myth, the Legend ( waffle edition ). What I do have are a very particular set of skills. I do appsec for financial companies Not a consultant Not here on behalf of any employer Wrote my first app in Qbasic Microsoft 4 lyfe wut wut

bailey
Download Presentation

.NET Reversing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. .NET Reversing The Framework, the Myth, the Legend (waffle edition)

  2. What I do have are a very particular set of skills • I do appsec for financial companies • Not a consultant • Not here on behalf of any employer • Wrote my first app in Qbasic • Microsoft 4 lyfewutwut • Curator of securityreactions.tumblr.com • Staring at the sun made me crazy

  3. Why .NET? Current state of Java security

  4. Pool’s closed Source: http://www.veracode.com/blog/2013/04/the-history-of-programming-languages-infographic/

  5. .NET – Common Language Infrastructure Common Language Infrastructure Thanks, Wikipedia

  6. Common Intermediate Language privatevoidbutton1_Click(objectsender, EventArgs e)     {            MessageBox.Show("I am in a hell of my own creation");        } .methodprivatehidebysiginstancevoidbutton1_Click (objectsender,class[mscorlib]System.EventArgs e )cilmanaged  {// Method begins at RVA 0x221f// Code size 13 (0xd).maxstack8        IL_0000:nop IL_0001:ldstr"I am in a hell of my own creation"IL_0006:callvaluetype[System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string)        IL_000b: popIL_000c:ret }// end of method Form1::button1_Click

  7. .NET PE File Format

  8. PE Format - Metadata Streams • #~ (metadata stream) • Predefined content and structure • Contains types, methods, fields, properties and events  • #Strings • Namespace, type, and member names • #US (user string heap) • All strings embedded in source • #GUID • Unique identifier • #Blob (binary data heap) • Method signatures, generic instantiations

  9. The #~ Stream: Metadata Tables • 0×2: TypeDef • 0×4: FieldDef • 0×6: MethodDef • 0×14: EventDef • 0×17: PropertyDef • Types, fields, methods, events and properties • 0×1: TypeRef • Referenced types defined in other assemblies • 0xa: MemberRef • Referenced members of types defined in other assemblies. • 0×9: InterfaceImpl • Defined types and the interfaces that type implements • 0xc: CustomAttribute • Info on attributes applied to elements in the assembly • 0×18: MethodSemantics • Links properties and events with the methods that comprise the get/set or add/remove methods of the property or method. • 0x1b: TypeSpec • 0x2b: MethodSpec • Instantiations of generic types and methods

  10. Browsing a .NET PE: CFF Explorer #~: MethodDef tables

  11. #Strings Tables

  12. I Love Belgium This Much

  13. I heard you like mudkipsobfuscators

  14. …I’ll just leave this here :( :|

  15. Overcoming Obfuscation • Symbol Renaming • Not possible if the original symbols are not in the assembly • Can convert unprintable names to something resembling English • Decryption • Removal of proxy code / junk classes • Removal of tamper detection • Move methods back to their original classes • “Sometimes, dead is better.”

  16. Proof of Concept: Reversing Reflector

  17. Goal: Add new functionality to existing binary • To Do: • Remove strong name singing to permit modification • Identify where toolbar is created and icons defined • Create new icon • Locate event handler for icon click event • Create new event handler • Inject DLL containing our new functionality • Have our new event handler reference this code

  18. Strong Name Signing

  19. Locating toolbar

  20. Adding new toolbar icon: Injecting IL

  21. Toolbar, continued: new IL IL_01ae:ldarg.0IL_01af:ldarg.1IL_01b0:callclass[System.Drawing]System.Drawing.Image ns36.Class476::get_Nyan()IL_01b5:ldstr"Nyan!"IL_01ba:ldc.i4.0IL_01bb:ldstr"Application.Nyan"IL_01c0:callinstancevoidns30.Class269::method_29(classReflector.ICommandBar,class[System.Drawing]System.Drawing.Image,string,valuetype [System.Windows.Forms]System.Windows.Forms.Keys,string)IL_01c5:ldarg.1IL_01c6:callvirtinstanceclassReflector.ICommandBarItemCollectionReflector.ICommandBar::get_Items()    IL_01cb:callvirtinstanceclassReflector.ICommandBarSeparatorReflector.ICommandBarItemCollection::AddSeparator()    IL_01d0:pop

  22. Toolbar continued: Modifying inline resource

  23. Locating event handler

  24. Event handler, continued public voidExecute(stringcommandName) { stringkey = commandName; if (key != null) { intnum; if (Class722.dictionary_4 == null) { Dictionary<string, int> dictionary1 = new Dictionary<string, int>(0x10); dictionary1.Add("Application.OpenFile", 0); dictionary1.Add("Application.OpenCache", 1); dictionary1.Add("Application.OpenList", 2); dictionary1.Add("Application.CloseFile", 3); … Class722.dictionary_4= dictionary1; } if (Class722.dictionary_4.TryGetValue(key, out num)) { switch (num) { case 0: this.method_45(); break; case 1: this.method_46(); break; case 2: this.method_47(); break; … }

  25. Adding IL to Execute()     IL_00c1: ldc.i4.s 13    IL_00c3: call instancevoidclass [mscorlib]System.Collections.Generic.Dictionary`2<string, int32>::Add(!0, !1)    IL_00c8: dup    IL_00c9: ldstr "Application.Deactivate"    IL_00ce: ldc.i4.s 14    IL_00d0: call instancevoidclass [mscorlib]System.Collections.Generic.Dictionary`2<string, int32>::Add(!0, !1)    IL_00d5: dup    IL_00d6: ldstr"Application.Nyan"    IL_00db: ldc.i4.s 15    IL_00dd: call instancevoidclass [mscorlib]System.Collections.Generic.Dictionary`2<string, int32>::Add(!0, !1) …     IL_01b8: ldarg.0    IL_01b9: call instancevoid ns30.Class269::method_65()    IL_01be: leave.s IL_01c8    IL_01c0: ldarg.0    IL_01c1: call instancevoid ns30.Class269::nyan()    IL_01c6: leave.s IL_01c8

  26. Creating ns30.Class269::nyan()

  27. ns30.Class269::nyan() CIL .methodprivatehidebysiginstancevoidnyan () cilmanaged{.maxstack 8    IL_0000: newobjinstancevoid [derp]derp.hurr::.ctor()    IL_0005: callvirtinstancevoid [derp]derp.hurr::showForm()    IL_000a: ret privatevoidnyan(){newhurr().showForm();} Where are these classes implemented?

  28. Adding new DLL to Reflector

  29. …aaaaaand we’re done Let’s launch it.

  30. References and Resources • Anatomy of a .NET Assembly • https://www.simple-talk.com/blogs/2011/03/16/anatomy-of-a-net-assembly-clr-metadata-1/ • CFF Explorer – PE Browser • http://www.ntcore.com/exsuite.php • ILSpyDecompiler • http://ilspy.net/ • RedGate(SmartAssembly, Reflector, Obfuscation Checker) • http://www.red-gate.com/products/dotnet-development/ • Reflexil – RedGate plugin for CIL injection • http://reflexil.net/ • CodeSearch – RedGate plugin, does what it says • http://reflectoraddins.codeplex.com/wikipage?title=CodeSearch • De4dot Deobfuscator • https://bitbucket.org/0xd4d/de4dot/

  31. Questions? • Twitter: @aloria • Email: george.sims@jukt-micronics.com • Blog: http://jukt-micronics.com Special thanks to: AP, CS, CV, BN, DDZ, EK, RL, SR, ZC, ZL and the fine folks at CompuServe for inventing GIF89a

More Related