Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ToorCamp 2016 - Reverse Engineering & Attacking...

ToorCamp 2016 - Reverse Engineering & Attacking .NET Applications

This talk will demonstrate reverse engineering and attacking .NET applications. I will start by discussing reverse engineering as it pertains to .NET and show how to get a glimpse into a binaries code base. Moving forward I will show how to modify running applications with advanced .NET and assembly level attacks using open source tools I developed. By discussing internal framework structures you will leave understanding why and how these attacks work. You will also be able to implement defense and attack scenarios in test cases.

You will leave with an overview of how to use reverse engineering to discover weaknesses in .NET applications and how to leverage those as an attacker.

Topher Timzen

June 11, 2016
Tweet

More Decks by Topher Timzen

Other Decks in Programming

Transcript

  1. What is .NET Common Language Runtime (CLR) • Manages execution

    of .NET programs. • Responsible for Just-in-time compilation, Memory management, type safety, garbage collection, etc. • CLR 2.0 and CLR 4.0 are both widely used. • Open Sourced (kind-of) http://referencesource.microsoft.com/ Common Intermediate Language (CIL) • Independent set of instructions converted to native machine language through implicit complication. • Memory is allocated for the assembly per JIT. • Marked as RWX
  2. Runtime .NET Process CLR (2.0/4.0) & AppDomains Assemblies (.EXE and

    .DLL(s)) Objects Properties Fields Instance Methods Classes Methods Logic
  3. WinDbg & SOS The best one liner in history (for

    .NET) Loads Son of Strike (SOS.DLL) !for_each_module .if(($sicmp( "@#ModuleName" , "mscorwks") = 0) ) {.loadby sos mscorwks} .elsif ($sicmp( "@#ModuleName" , "clr") = 0) {.loadby sos clr}
  4. JIT Transformation of IL to native ASM Only JITs when

    a method is called! • Objects Garbage Collected unless pinned – Everything in .NET is System.Object (Remember Java?) • We can use this to our advantage later.
  5. JIT WinDbg helps us view JIT patterns 1) !dumpdomain 2)

    !dumpmodule –mt <domain MT> 3) !dumpmt –md <module MT> PreJIT is native .NET None = not yet JIT JIT = JIT’d
  6. Hooking JIT Mscorjit/Clrjit.dll Can hook jit.dll::compileMethod VTable entry Useful to

    determine code flow / event tracing https://github.com/UbbeLoL/SJITHook
  7. Managed Heap Storage point for .NET Objects New reference objects

    added to heap Garbage Collector removes dead objects http://www.tophertimzen.com/blog/dotNetHeapObjects/
  8. Runtime Objects All objects are pointers to a location on

    the Managed Heap. !dumpheap !dumpheap –mt <method table> !dumpobj <object address>
  9. System.Reflection View metadata of AppDomains & Assemblies Contains method body,

    IL, Method signature, classes, type information, etc. • Ability to view all metadata! Essentially every .NET RE tool uses reflection as primary means of obtaining metadata
  10. What .NET Packers Do Obfuscated .NET is still object-oriented and

    contains all needed metadata. Static DEobfuscators work well with .NET as .NET obfuscators/packers cannot really do a whole lot. • Really just refactor code to be ugly.
  11. How to Get Around Them System.Reflection.Assebmly.Load is used to decompress/decrypt

    the assembly before running it. • Breakpoint at entry -> dump code
  12. How to Get Around Them .cctor is used to init

    itself (static constructor) and is called for each Type. Unpacking can occur at .cctor as it is called before static members are referenced or before the first instance object is created. Program::Main() executes Program::.cctor() beforehand. Breakpoint at <module>::.cctor() -> dump code
  13. de4dot De4dot does this for us. Contains 21 deobfuscator modules.

    de4dot program.exe -o program_deobfuscated.exe Not rolled into DnSpy. Gray Wolf has this native.
  14. Types of Attacks CLR to abuse raw objects on managed

    heap Manipulate AppDomains to control loaded code and Just-In-Time Compilation Attack with ASM due to RWX JIT • Alter control flow Post-exploitation Techniques or Local Binaries
  15. Gray Frost 2 round payload delivery system C++ .NET CLR

    Bootstrapper Creates or injects 4.0 runtime Pivots into 2.0 runtime if needed Contains raw payload for round 2
  16. Gray Storm Reconnaissance and In-memory attack payload Features Attacking the

    .NET JIT Attacking .NET at the ASM level Utilize objects on the Managed Heap
  17. Method Table Hijack Method Tables contain address of JIT stub

    for a class’s methods. During JIT the Method Table is referenced We can control the address
  18. Finding Objects at Runtime i. Construct an object and find

    location of Managed Heap ii. Signature instantiated type iii. Scan Managed Heap for object pointers iv. Convert object pointers to raw objects http://www.tophertimzen.com/blog/dotNetHeapObjects/
  19. CLRMD Microsoft.Diagnostics.Runtime.CLRMD Makes object hunting a lot easier but increases

    overhead. • Practical for game hacking, attacks that can touch disk, etc. Object Control = Power
  20. Key Weaknesses in .NET Due to runtime reflection you cannot

    store any secrets • All code is viewable! Update systems are easy to manipulate • Ensure app is using secure update mechanisms • See MitM KeePass Licensing Mechanisms Poor Communications Security
  21. Reversing Just add this to EULA. Hackers listen. and read

    EULA. DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS. Limitations on Reverse Engineering, Decompilation, Disassembly and change (add,delete or modify) the resources in the compiled the assembly. You may not reverse engineer, decompile, or disassemble the SOFTWARE PRODUCT, except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation.
  22. EMET Attack Surface Reduction (ASR) prevents DLL Injection • Mostly

    dead technique with modern mitigations. – Requires local access.
  23. Defensive Code Write good Defensive .NET Applications • Depends what

    you want to protect. Don’t expose secrets If you want to pretend to hide code use a C++ DLL and import it
  24. More .NET at ToorCamp! Jon McCoy Friday June 10th @

    16:00 Workshop • Hacking .NET/C# Applications: Hands on Black Arts • Today @ 1700