ToorCamp 2016 - Reverse Engineering & Attacking .NET Applications

Transcript

1. Reverse Engineering and
   Attacking .NET
   Applications
   Topher Timzen
   

   View Slide

2. Topher Timzen
   Security Researcher, Intel
   @TTimzen
   TopherTimzen.com
   #whoami
   

   View Slide

3. Overview
   Intro to the .NET
   Reverse Engineering .NET
   Attacking .NET Runtime
   Defense Strategies
   Next Steps
   

   View Slide

4. Intro to .NET
   

   View Slide

5. What is .NET
   Common Language Runtime (CLR)
   • Manages execution of .NET programs.
   • Responsible for Just-in-time compilation, Memory management, type safety,
   garbage collection, etc.
   • CLR 2.0 and CLR 4.0 are both widely used.
   • Open Sourced (kind-of) http://referencesource.microsoft.com/
   Common Intermediate Language (CIL)
   • Independent set of instructions converted to native machine language through
   implicit complication.
   • Memory is allocated for the assembly per JIT.
   • Marked as RWX
   

   View Slide

6. C# v. CIL v. ASM
   

   View Slide

7. C# v. CIL v. ASM
   

   View Slide

8. C# v. CIL v. ASM
   

   View Slide

9. Runtime
   .NET Process
   CLR (2.0/4.0) & AppDomains
   Assemblies (.EXE and .DLL(s))
   Objects
   Properties
   Fields
   Instance Methods
   Classes
   Methods
   Logic
   

   View Slide

10. Reverse Engineering .NET
    

    View Slide

11. Tools of the Trade
    SOS.DLL & WinDbg
    DnSpy
    De4dot
    Runtime Reflection
    

    View Slide

12. WinDbg & SOS
    The best one liner in history (for .NET)
    Loads Son of Strike (SOS.DLL)
    !for_each_module .if(($sicmp( "@#ModuleName" ,
    "mscorwks") = 0) ) {.loadby sos mscorwks}
    .elsif ($sicmp( "@#ModuleName" , "clr") = 0)
    {.loadby sos clr}
    

    View Slide

13. JIT
    Transformation of IL to native ASM
    Only JITs when a method is called!
    • Objects Garbage Collected unless
    pinned
    – Everything in .NET is System.Object
    (Remember Java?)
    • We can use this to our advantage
    later.
    

    View Slide

14. JIT
    WinDbg helps us view JIT patterns
    1) !dumpdomain
    2) !dumpmodule –mt
    3) !dumpmt –md
    PreJIT is native .NET
    None = not yet JIT
    JIT = JIT’d
    

    View Slide

15. JIT
    WinDbg helps us view JIT patterns
    !dumpdomain
    

    View Slide

16. JIT
    WinDbg helps us view JIT patterns
    !dumpmodule –mt
    

    View Slide

17. JIT
    WinDbg helps us view JIT patterns
    !dumpmt –md
    

    View Slide

18. Hooking JIT
    Mscorjit/Clrjit.dll
    Can hook jit.dll::compileMethod VTable
    entry
    Useful to determine code flow / event
    tracing
    https://github.com/UbbeLoL/SJITHook
    

    View Slide

19. Managed Heap
    Storage point for .NET Objects
    New reference objects added to heap
    Garbage Collector removes dead
    objects
    http://www.tophertimzen.com/blog/dotNetHeapObjects/
    

    View Slide

20. Runtime Objects
    All objects are pointers to a location on
    the Managed Heap.
    !dumpheap
    !dumpheap –mt
    !dumpobj
    

    View Slide

21. System.Reflection
    View metadata of AppDomains &
    Assemblies
    Contains method body, IL, Method
    signature, classes, type information,
    etc.
    • Ability to view all metadata!
    Essentially every .NET RE tool uses
    reflection as primary means of obtaining
    metadata
    

    View Slide

22. Reflection
    https://github.com/tophertimzen/reflectionDemo
    

    View Slide

23. DnSpy
    https://github.com/0xd4d/dnSpy
    Branded as an “.NET assembly editor,
    decompiler, and debugger”
    Great for IL Editing – On-Disk Attacking
    

    View Slide

24. What .NET Packers Do
    Obfuscated .NET is still object-oriented
    and contains all needed metadata.
    Static DEobfuscators work well with
    .NET as .NET obfuscators/packers
    cannot really do a whole lot.
    • Really just refactor code to be ugly.
    

    View Slide

25. How to Get Around Them
    System.Reflection.Assebmly.Load is
    used to decompress/decrypt the
    assembly before running it.
    • Breakpoint at entry -> dump code
    

    View Slide

26. How to Get Around Them
    .cctor is used to init itself (static
    constructor) and is called for each Type.
    Unpacking can occur at .cctor as it is
    called before static members are
    referenced or before the first instance
    object is created.
    Program::Main() executes
    Program::.cctor() beforehand.
    Breakpoint at ::.cctor() -> dump
    code
    

    View Slide

27. de4dot
    De4dot does this for us.
    Contains 21 deobfuscator modules.
    de4dot program.exe -o
    program_deobfuscated.exe
    Not rolled into DnSpy. Gray Wolf has
    this native.
    

    View Slide

28. Attacking .NET
    Applications in Memory
    

    View Slide

29. Types of Attacks
    CLR to abuse raw objects on managed
    heap
    Manipulate AppDomains to control
    loaded code and Just-In-Time Compilation
    Attack with ASM due to RWX JIT
    • Alter control flow
    Post-exploitation Techniques or Local
    Binaries
    

    View Slide

30. Tools
    https://github.com/GrayKernel
    Gray Frost & Gray Storm
    .NET CLR Bootstrapper and Memory
    Attack Platform
    

    View Slide

31. Gray Frost
    2 round payload delivery system
    C++ .NET CLR Bootstrapper
    Creates or injects 4.0 runtime
    Pivots into 2.0 runtime if needed
    Contains raw payload for round 2
    

    View Slide

32. Gray Storm
    Reconnaissance and In-memory attack
    payload
    Features
    Attacking the .NET JIT
    Attacking .NET at the ASM level
    Utilize objects on the Managed Heap
    

    View Slide

33. Method Table Hijack
    Method Tables contain address of JIT
    stub for a class’s methods.
    During JIT the Method Table is referenced
    We can control the address
    

    View Slide

34. ASM Payloads
    Address of a method known through
    Reflection
    Overwrite method logic with new ASM
    

    View Slide

35. Finding Objects at Runtime
    i. Construct an object and find
    location of Managed Heap
    ii. Signature instantiated type
    iii. Scan Managed Heap for object
    pointers
    iv. Convert object pointers to raw
    objects
    http://www.tophertimzen.com/blog/dotNetHeapObjects/
    

    View Slide

36. CLRMD
    Microsoft.Diagnostics.Runtime.CLRMD
    Makes object hunting a lot easier but
    increases overhead.
    • Practical for game hacking, attacks
    that can touch disk, etc.
    Object Control = Power
    

    View Slide

37. Automation
    

    View Slide

38. Automation
    GrayFrost can be used with automated
    payloads
    

    View Slide

39. Application Weaknesses
    

    View Slide

40. Key Weaknesses in .NET
    Due to runtime reflection you cannot
    store any secrets
    • All code is viewable!
    Update systems are easy to manipulate
    • Ensure app is using secure update
    mechanisms
    • See MitM KeePass
    Licensing Mechanisms
    Poor Communications Security
    

    View Slide

41. Defense Techniques
    

    View Slide

42. Reversing
    Just add this to EULA. Hackers listen. and read EULA.
    DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS.
    Limitations on Reverse Engineering, Decompilation,
    Disassembly and change (add,delete or modify) the
    resources in the compiled the assembly.
    You may not reverse engineer, decompile, or disassemble the
    SOFTWARE PRODUCT, except and only to the extent that
    such activity is expressly permitted by applicable law
    notwithstanding this limitation.
    

    View Slide

43. EMET
    Attack Surface Reduction (ASR)
    prevents DLL Injection
    • Mostly dead technique with modern
    mitigations.
    – Requires local access.
    

    View Slide

44. Defensive Code
    Write good Defensive .NET Applications
    • Depends what you want to protect.
    Don’t expose secrets
    If you want to pretend to hide code use
    a C++ DLL and import it
    

    View Slide

45. Conclusion
    

    View Slide

46. More .NET at ToorCamp!
    Jon McCoy Friday June 10th @ 16:00
    Workshop
    • Hacking .NET/C# Applications: Hands on Black
    Arts
    • Today @ 1700
    

    View Slide

47. Questions?
    Contact Me
    @TTimzen
    https://www.tophertimzen.com
    Get Gray Frost and Storm
    github.com/graykernel
    

    View Slide