Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ToorCamp 2016 - Reverse Engineering & Attacking .NET Applications

ToorCamp 2016 - Reverse Engineering & Attacking .NET Applications

This talk will demonstrate reverse engineering and attacking .NET applications. I will start by discussing reverse engineering as it pertains to .NET and show how to get a glimpse into a binaries code base. Moving forward I will show how to modify running applications with advanced .NET and assembly level attacks using open source tools I developed. By discussing internal framework structures you will leave understanding why and how these attacks work. You will also be able to implement defense and attack scenarios in test cases.

You will leave with an overview of how to use reverse engineering to discover weaknesses in .NET applications and how to leverage those as an attacker.


Topher Timzen

June 11, 2016


  1. Reverse Engineering and Attacking .NET Applications Topher Timzen

  2. Topher Timzen Security Researcher, Intel @TTimzen TopherTimzen.com #whoami

  3. Overview Intro to the .NET Reverse Engineering .NET Attacking .NET

    Runtime Defense Strategies Next Steps
  4. Intro to .NET

  5. What is .NET Common Language Runtime (CLR) • Manages execution

    of .NET programs. • Responsible for Just-in-time compilation, Memory management, type safety, garbage collection, etc. • CLR 2.0 and CLR 4.0 are both widely used. • Open Sourced (kind-of) http://referencesource.microsoft.com/ Common Intermediate Language (CIL) • Independent set of instructions converted to native machine language through implicit complication. • Memory is allocated for the assembly per JIT. • Marked as RWX
  6. C# v. CIL v. ASM

  7. C# v. CIL v. ASM

  8. C# v. CIL v. ASM

  9. Runtime .NET Process CLR (2.0/4.0) & AppDomains Assemblies (.EXE and

    .DLL(s)) Objects Properties Fields Instance Methods Classes Methods Logic
  10. Reverse Engineering .NET

  11. Tools of the Trade SOS.DLL & WinDbg DnSpy De4dot Runtime

  12. WinDbg & SOS The best one liner in history (for

    .NET) Loads Son of Strike (SOS.DLL) !for_each_module .if(($sicmp( "@#ModuleName" , "mscorwks") = 0) ) {.loadby sos mscorwks} .elsif ($sicmp( "@#ModuleName" , "clr") = 0) {.loadby sos clr}
  13. JIT Transformation of IL to native ASM Only JITs when

    a method is called! • Objects Garbage Collected unless pinned – Everything in .NET is System.Object (Remember Java?) • We can use this to our advantage later.
  14. JIT WinDbg helps us view JIT patterns 1) !dumpdomain 2)

    !dumpmodule –mt <domain MT> 3) !dumpmt –md <module MT> PreJIT is native .NET None = not yet JIT JIT = JIT’d
  15. JIT WinDbg helps us view JIT patterns !dumpdomain

  16. JIT WinDbg helps us view JIT patterns !dumpmodule –mt <domain

  17. JIT WinDbg helps us view JIT patterns !dumpmt –md <module

  18. Hooking JIT Mscorjit/Clrjit.dll Can hook jit.dll::compileMethod VTable entry Useful to

    determine code flow / event tracing https://github.com/UbbeLoL/SJITHook
  19. Managed Heap Storage point for .NET Objects New reference objects

    added to heap Garbage Collector removes dead objects http://www.tophertimzen.com/blog/dotNetHeapObjects/
  20. Runtime Objects All objects are pointers to a location on

    the Managed Heap. !dumpheap !dumpheap –mt <method table> !dumpobj <object address>
  21. System.Reflection View metadata of AppDomains & Assemblies Contains method body,

    IL, Method signature, classes, type information, etc. • Ability to view all metadata! Essentially every .NET RE tool uses reflection as primary means of obtaining metadata
  22. Reflection https://github.com/tophertimzen/reflectionDemo

  23. DnSpy https://github.com/0xd4d/dnSpy Branded as an “.NET assembly editor, decompiler, and

    debugger” Great for IL Editing – On-Disk Attacking
  24. What .NET Packers Do Obfuscated .NET is still object-oriented and

    contains all needed metadata. Static DEobfuscators work well with .NET as .NET obfuscators/packers cannot really do a whole lot. • Really just refactor code to be ugly.
  25. How to Get Around Them System.Reflection.Assebmly.Load is used to decompress/decrypt

    the assembly before running it. • Breakpoint at entry -> dump code
  26. How to Get Around Them .cctor is used to init

    itself (static constructor) and is called for each Type. Unpacking can occur at .cctor as it is called before static members are referenced or before the first instance object is created. Program::Main() executes Program::.cctor() beforehand. Breakpoint at <module>::.cctor() -> dump code
  27. de4dot De4dot does this for us. Contains 21 deobfuscator modules.

    de4dot program.exe -o program_deobfuscated.exe Not rolled into DnSpy. Gray Wolf has this native.
  28. Attacking .NET Applications in Memory

  29. Types of Attacks CLR to abuse raw objects on managed

    heap Manipulate AppDomains to control loaded code and Just-In-Time Compilation Attack with ASM due to RWX JIT • Alter control flow Post-exploitation Techniques or Local Binaries
  30. Tools https://github.com/GrayKernel Gray Frost & Gray Storm .NET CLR Bootstrapper

    and Memory Attack Platform
  31. Gray Frost 2 round payload delivery system C++ .NET CLR

    Bootstrapper Creates or injects 4.0 runtime Pivots into 2.0 runtime if needed Contains raw payload for round 2
  32. Gray Storm Reconnaissance and In-memory attack payload Features Attacking the

    .NET JIT Attacking .NET at the ASM level Utilize objects on the Managed Heap
  33. Method Table Hijack Method Tables contain address of JIT stub

    for a class’s methods. During JIT the Method Table is referenced We can control the address
  34. ASM Payloads Address of a method known through Reflection Overwrite

    method logic with new ASM
  35. Finding Objects at Runtime i. Construct an object and find

    location of Managed Heap ii. Signature instantiated type iii. Scan Managed Heap for object pointers iv. Convert object pointers to raw objects http://www.tophertimzen.com/blog/dotNetHeapObjects/
  36. CLRMD Microsoft.Diagnostics.Runtime.CLRMD Makes object hunting a lot easier but increases

    overhead. • Practical for game hacking, attacks that can touch disk, etc. Object Control = Power
  37. Automation

  38. Automation GrayFrost can be used with automated payloads

  39. Application Weaknesses

  40. Key Weaknesses in .NET Due to runtime reflection you cannot

    store any secrets • All code is viewable! Update systems are easy to manipulate • Ensure app is using secure update mechanisms • See MitM KeePass Licensing Mechanisms Poor Communications Security
  41. Defense Techniques

  42. Reversing Just add this to EULA. Hackers listen. and read

    EULA. DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS. Limitations on Reverse Engineering, Decompilation, Disassembly and change (add,delete or modify) the resources in the compiled the assembly. You may not reverse engineer, decompile, or disassemble the SOFTWARE PRODUCT, except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation.
  43. EMET Attack Surface Reduction (ASR) prevents DLL Injection • Mostly

    dead technique with modern mitigations. – Requires local access.
  44. Defensive Code Write good Defensive .NET Applications • Depends what

    you want to protect. Don’t expose secrets If you want to pretend to hide code use a C++ DLL and import it
  45. Conclusion

  46. More .NET at ToorCamp! Jon McCoy Friday June 10th @

    16:00 Workshop • Hacking .NET/C# Applications: Hands on Black Arts • Today @ 1700
  47. Questions? Contact Me @TTimzen https://www.tophertimzen.com Get Gray Frost and Storm