ToorCamp 2016 - Reverse Engineering & Attacking .NET Applications

ToorCamp 2016 - Reverse Engineering & Attacking .NET Applications

This talk will demonstrate reverse engineering and attacking .NET applications. I will start by discussing reverse engineering as it pertains to .NET and show how to get a glimpse into a binaries code base. Moving forward I will show how to modify running applications with advanced .NET and assembly level attacks using open source tools I developed. By discussing internal framework structures you will leave understanding why and how these attacks work. You will also be able to implement defense and attack scenarios in test cases.

You will leave with an overview of how to use reverse engineering to discover weaknesses in .NET applications and how to leverage those as an attacker.


Topher Timzen

June 11, 2016


  1. 5.

    What is .NET Common Language Runtime (CLR) • Manages execution

    of .NET programs. • Responsible for Just-in-time compilation, Memory management, type safety, garbage collection, etc. • CLR 2.0 and CLR 4.0 are both widely used. • Open Sourced (kind-of) Common Intermediate Language (CIL) • Independent set of instructions converted to native machine language through implicit complication. • Memory is allocated for the assembly per JIT. • Marked as RWX
  2. 9.

    Runtime .NET Process CLR (2.0/4.0) & AppDomains Assemblies (.EXE and

    .DLL(s)) Objects Properties Fields Instance Methods Classes Methods Logic
  3. 12.

    WinDbg & SOS The best one liner in history (for

    .NET) Loads Son of Strike (SOS.DLL) !for_each_module .if(($sicmp( "@#ModuleName" , "mscorwks") = 0) ) {.loadby sos mscorwks} .elsif ($sicmp( "@#ModuleName" , "clr") = 0) {.loadby sos clr}
  4. 13.

    JIT Transformation of IL to native ASM Only JITs when

    a method is called! • Objects Garbage Collected unless pinned – Everything in .NET is System.Object (Remember Java?) • We can use this to our advantage later.
  5. 14.

    JIT WinDbg helps us view JIT patterns 1) !dumpdomain 2)

    !dumpmodule –mt <domain MT> 3) !dumpmt –md <module MT> PreJIT is native .NET None = not yet JIT JIT = JIT’d
  6. 18.

    Hooking JIT Mscorjit/Clrjit.dll Can hook jit.dll::compileMethod VTable entry Useful to

    determine code flow / event tracing
  7. 19.

    Managed Heap Storage point for .NET Objects New reference objects

    added to heap Garbage Collector removes dead objects
  8. 20.

    Runtime Objects All objects are pointers to a location on

    the Managed Heap. !dumpheap !dumpheap –mt <method table> !dumpobj <object address>
  9. 21.

    System.Reflection View metadata of AppDomains & Assemblies Contains method body,

    IL, Method signature, classes, type information, etc. • Ability to view all metadata! Essentially every .NET RE tool uses reflection as primary means of obtaining metadata
  10. 23.
  11. 24.

    What .NET Packers Do Obfuscated .NET is still object-oriented and

    contains all needed metadata. Static DEobfuscators work well with .NET as .NET obfuscators/packers cannot really do a whole lot. • Really just refactor code to be ugly.
  12. 25.

    How to Get Around Them System.Reflection.Assebmly.Load is used to decompress/decrypt

    the assembly before running it. • Breakpoint at entry -> dump code
  13. 26.

    How to Get Around Them .cctor is used to init

    itself (static constructor) and is called for each Type. Unpacking can occur at .cctor as it is called before static members are referenced or before the first instance object is created. Program::Main() executes Program::.cctor() beforehand. Breakpoint at <module>::.cctor() -> dump code
  14. 27.

    de4dot De4dot does this for us. Contains 21 deobfuscator modules.

    de4dot program.exe -o program_deobfuscated.exe Not rolled into DnSpy. Gray Wolf has this native.
  15. 29.

    Types of Attacks CLR to abuse raw objects on managed

    heap Manipulate AppDomains to control loaded code and Just-In-Time Compilation Attack with ASM due to RWX JIT • Alter control flow Post-exploitation Techniques or Local Binaries
  16. 31.

    Gray Frost 2 round payload delivery system C++ .NET CLR

    Bootstrapper Creates or injects 4.0 runtime Pivots into 2.0 runtime if needed Contains raw payload for round 2
  17. 32.

    Gray Storm Reconnaissance and In-memory attack payload Features Attacking the

    .NET JIT Attacking .NET at the ASM level Utilize objects on the Managed Heap
  18. 33.

    Method Table Hijack Method Tables contain address of JIT stub

    for a class’s methods. During JIT the Method Table is referenced We can control the address
  19. 35.

    Finding Objects at Runtime i. Construct an object and find

    location of Managed Heap ii. Signature instantiated type iii. Scan Managed Heap for object pointers iv. Convert object pointers to raw objects
  20. 36.

    CLRMD Microsoft.Diagnostics.Runtime.CLRMD Makes object hunting a lot easier but increases

    overhead. • Practical for game hacking, attacks that can touch disk, etc. Object Control = Power
  21. 40.

    Key Weaknesses in .NET Due to runtime reflection you cannot

    store any secrets • All code is viewable! Update systems are easy to manipulate • Ensure app is using secure update mechanisms • See MitM KeePass Licensing Mechanisms Poor Communications Security
  22. 42.

    Reversing Just add this to EULA. Hackers listen. and read

    EULA. DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS. Limitations on Reverse Engineering, Decompilation, Disassembly and change (add,delete or modify) the resources in the compiled the assembly. You may not reverse engineer, decompile, or disassemble the SOFTWARE PRODUCT, except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation.
  23. 43.

    EMET Attack Surface Reduction (ASR) prevents DLL Injection • Mostly

    dead technique with modern mitigations. – Requires local access.
  24. 44.

    Defensive Code Write good Defensive .NET Applications • Depends what

    you want to protect. Don’t expose secrets If you want to pretend to hide code use a C++ DLL and import it
  25. 46.

    More .NET at ToorCamp! Jon McCoy Friday June 10th @

    16:00 Workshop • Hacking .NET/C# Applications: Hands on Black Arts • Today @ 1700