Reverse Engineering and Attacking .NET Applications Topher Timzen 

Topher Timzen Security Researcher, Intel @TTimzen TopherTimzen.com #whoami 

Overview Intro to the .NET Reverse Engineering .NET Attacking .NET Runtime Defense Strategies Next Steps 

Intro to .NET 

What is .NET Common Language Runtime (CLR) • Manages execution of .NET programs. • Responsible for Just-in-time compilation, Memory management, type safety, garbage collection, etc. • CLR 2.0 and CLR 4.0 are both widely used. • Open Sourced (kind-of) http://referencesource.microsoft.com/ Common Intermediate Language (CIL) • Independent set of instructions converted to native machine language through implicit complication. • Memory is allocated for the assembly per JIT. • Marked as RWX 

C# v. CIL v. ASM 

C# v. CIL v. ASM 

C# v. CIL v. ASM 

Runtime .NET Process CLR (2.0/4.0) & AppDomains Assemblies (.EXE and .DLL(s)) Objects Properties Fields Instance Methods Classes Methods Logic 

Reverse Engineering .NET 

Tools of the Trade SOS.DLL & WinDbg DnSpy De4dot Runtime Reflection 

WinDbg & SOS The best one liner in history (for .NET) Loads Son of Strike (SOS.DLL) !for_each_module .if(($sicmp( "@#ModuleName" , "mscorwks") = 0) ) {.loadby sos mscorwks} .elsif ($sicmp( "@#ModuleName" , "clr") = 0) {.loadby sos clr} 

JIT Transformation of IL to native ASM Only JITs when a method is called! • Objects Garbage Collected unless pinned – Everything in .NET is System.Object (Remember Java?) • We can use this to our advantage later. 

JIT WinDbg helps us view JIT patterns 1) !dumpdomain 2) !dumpmodule –mt 3) !dumpmt –md PreJIT is native .NET None = not yet JIT JIT = JIT’d 

JIT WinDbg helps us view JIT patterns !dumpdomain 

JIT WinDbg helps us view JIT patterns !dumpmodule –mt 

JIT WinDbg helps us view JIT patterns !dumpmt –md 

Hooking JIT Mscorjit/Clrjit.dll Can hook jit.dll::compileMethod VTable entry Useful to determine code flow / event tracing https://github.com/UbbeLoL/SJITHook 

Managed Heap Storage point for .NET Objects New reference objects added to heap Garbage Collector removes dead objects http://www.tophertimzen.com/blog/dotNetHeapObjects/ 

Runtime Objects All objects are pointers to a location on the Managed Heap. !dumpheap !dumpheap –mt !dumpobj 

System.Reflection View metadata of AppDomains & Assemblies Contains method body, IL, Method signature, classes, type information, etc. • Ability to view all metadata! Essentially every .NET RE tool uses reflection as primary means of obtaining metadata 

Reflection https://github.com/tophertimzen/reflectionDemo 

DnSpy https://github.com/0xd4d/dnSpy Branded as an “.NET assembly editor, decompiler, and debugger” Great for IL Editing – On-Disk Attacking 

What .NET Packers Do Obfuscated .NET is still object-oriented and contains all needed metadata. Static DEobfuscators work well with .NET as .NET obfuscators/packers cannot really do a whole lot. • Really just refactor code to be ugly. 

How to Get Around Them System.Reflection.Assebmly.Load is used to decompress/decrypt the assembly before running it. • Breakpoint at entry -> dump code 

How to Get Around Them .cctor is used to init itself (static constructor) and is called for each Type. Unpacking can occur at .cctor as it is called before static members are referenced or before the first instance object is created. Program::Main() executes Program::.cctor() beforehand. Breakpoint at ::.cctor() -> dump code 

de4dot De4dot does this for us. Contains 21 deobfuscator modules. de4dot program.exe -o program_deobfuscated.exe Not rolled into DnSpy. Gray Wolf has this native. 

Attacking .NET Applications in Memory 

Types of Attacks CLR to abuse raw objects on managed heap Manipulate AppDomains to control loaded code and Just-In-Time Compilation Attack with ASM due to RWX JIT • Alter control flow Post-exploitation Techniques or Local Binaries 

Tools https://github.com/GrayKernel Gray Frost & Gray Storm .NET CLR Bootstrapper and Memory Attack Platform 

Gray Frost 2 round payload delivery system C++ .NET CLR Bootstrapper Creates or injects 4.0 runtime Pivots into 2.0 runtime if needed Contains raw payload for round 2 

Gray Storm Reconnaissance and In-memory attack payload Features Attacking the .NET JIT Attacking .NET at the ASM level Utilize objects on the Managed Heap 

Method Table Hijack Method Tables contain address of JIT stub for a class’s methods. During JIT the Method Table is referenced We can control the address 

ASM Payloads Address of a method known through Reflection Overwrite method logic with new ASM 

Finding Objects at Runtime i. Construct an object and find location of Managed Heap ii. Signature instantiated type iii. Scan Managed Heap for object pointers iv. Convert object pointers to raw objects http://www.tophertimzen.com/blog/dotNetHeapObjects/ 

CLRMD Microsoft.Diagnostics.Runtime.CLRMD Makes object hunting a lot easier but increases overhead. • Practical for game hacking, attacks that can touch disk, etc. Object Control = Power 

Automation 

Automation GrayFrost can be used with automated payloads 

Application Weaknesses 

Key Weaknesses in .NET Due to runtime reflection you cannot store any secrets • All code is viewable! Update systems are easy to manipulate • Ensure app is using secure update mechanisms • See MitM KeePass Licensing Mechanisms Poor Communications Security 

Defense Techniques 

Reversing Just add this to EULA. Hackers listen. and read EULA. DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS. Limitations on Reverse Engineering, Decompilation, Disassembly and change (add,delete or modify) the resources in the compiled the assembly. You may not reverse engineer, decompile, or disassemble the SOFTWARE PRODUCT, except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation. 

EMET Attack Surface Reduction (ASR) prevents DLL Injection • Mostly dead technique with modern mitigations. – Requires local access. 

Defensive Code Write good Defensive .NET Applications • Depends what you want to protect. Don’t expose secrets If you want to pretend to hide code use a C++ DLL and import it 

Conclusion 

More .NET at ToorCamp! Jon McCoy Friday June 10th @ 16:00 Workshop • Hacking .NET/C# Applications: Hands on Black Arts • Today @ 1700 

Questions? Contact Me @TTimzen https://www.tophertimzen.com Get Gray Frost and Storm github.com/graykernel