Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ToorCamp 2016 - Reverse Engineering & Attacking .NET Applications

ToorCamp 2016 - Reverse Engineering & Attacking .NET Applications

This talk will demonstrate reverse engineering and attacking .NET applications. I will start by discussing reverse engineering as it pertains to .NET and show how to get a glimpse into a binaries code base. Moving forward I will show how to modify running applications with advanced .NET and assembly level attacks using open source tools I developed. By discussing internal framework structures you will leave understanding why and how these attacks work. You will also be able to implement defense and attack scenarios in test cases.

You will leave with an overview of how to use reverse engineering to discover weaknesses in .NET applications and how to leverage those as an attacker.

Topher Timzen

June 11, 2016
Tweet

More Decks by Topher Timzen

Other Decks in Programming

Transcript

  1. Reverse Engineering and
    Attacking .NET
    Applications
    Topher Timzen

    View Slide

  2. Topher Timzen
    Security Researcher, Intel
    @TTimzen
    TopherTimzen.com
    #whoami

    View Slide

  3. Overview
    Intro to the .NET
    Reverse Engineering .NET
    Attacking .NET Runtime
    Defense Strategies
    Next Steps

    View Slide

  4. Intro to .NET

    View Slide

  5. What is .NET
    Common Language Runtime (CLR)
    • Manages execution of .NET programs.
    • Responsible for Just-in-time compilation, Memory management, type safety,
    garbage collection, etc.
    • CLR 2.0 and CLR 4.0 are both widely used.
    • Open Sourced (kind-of) http://referencesource.microsoft.com/
    Common Intermediate Language (CIL)
    • Independent set of instructions converted to native machine language through
    implicit complication.
    • Memory is allocated for the assembly per JIT.
    • Marked as RWX

    View Slide

  6. C# v. CIL v. ASM

    View Slide

  7. C# v. CIL v. ASM

    View Slide

  8. C# v. CIL v. ASM

    View Slide

  9. Runtime
    .NET Process
    CLR (2.0/4.0) & AppDomains
    Assemblies (.EXE and .DLL(s))
    Objects
    Properties
    Fields
    Instance Methods
    Classes
    Methods
    Logic

    View Slide

  10. Reverse Engineering .NET

    View Slide

  11. Tools of the Trade
    SOS.DLL & WinDbg
    DnSpy
    De4dot
    Runtime Reflection

    View Slide

  12. WinDbg & SOS
    The best one liner in history (for .NET)
    Loads Son of Strike (SOS.DLL)
    !for_each_module .if(($sicmp( "@#ModuleName" ,
    "mscorwks") = 0) ) {.loadby sos mscorwks}
    .elsif ($sicmp( "@#ModuleName" , "clr") = 0)
    {.loadby sos clr}

    View Slide

  13. JIT
    Transformation of IL to native ASM
    Only JITs when a method is called!
    • Objects Garbage Collected unless
    pinned
    – Everything in .NET is System.Object
    (Remember Java?)
    • We can use this to our advantage
    later.

    View Slide

  14. JIT
    WinDbg helps us view JIT patterns
    1) !dumpdomain
    2) !dumpmodule –mt
    3) !dumpmt –md
    PreJIT is native .NET
    None = not yet JIT
    JIT = JIT’d

    View Slide

  15. JIT
    WinDbg helps us view JIT patterns
    !dumpdomain

    View Slide

  16. JIT
    WinDbg helps us view JIT patterns
    !dumpmodule –mt

    View Slide

  17. JIT
    WinDbg helps us view JIT patterns
    !dumpmt –md

    View Slide

  18. Hooking JIT
    Mscorjit/Clrjit.dll
    Can hook jit.dll::compileMethod VTable
    entry
    Useful to determine code flow / event
    tracing
    https://github.com/UbbeLoL/SJITHook

    View Slide

  19. Managed Heap
    Storage point for .NET Objects
    New reference objects added to heap
    Garbage Collector removes dead
    objects
    http://www.tophertimzen.com/blog/dotNetHeapObjects/

    View Slide

  20. Runtime Objects
    All objects are pointers to a location on
    the Managed Heap.
    !dumpheap
    !dumpheap –mt
    !dumpobj

    View Slide

  21. System.Reflection
    View metadata of AppDomains &
    Assemblies
    Contains method body, IL, Method
    signature, classes, type information,
    etc.
    • Ability to view all metadata!
    Essentially every .NET RE tool uses
    reflection as primary means of obtaining
    metadata

    View Slide

  22. Reflection
    https://github.com/tophertimzen/reflectionDemo

    View Slide

  23. DnSpy
    https://github.com/0xd4d/dnSpy
    Branded as an “.NET assembly editor,
    decompiler, and debugger”
    Great for IL Editing – On-Disk Attacking

    View Slide

  24. What .NET Packers Do
    Obfuscated .NET is still object-oriented
    and contains all needed metadata.
    Static DEobfuscators work well with
    .NET as .NET obfuscators/packers
    cannot really do a whole lot.
    • Really just refactor code to be ugly.

    View Slide

  25. How to Get Around Them
    System.Reflection.Assebmly.Load is
    used to decompress/decrypt the
    assembly before running it.
    • Breakpoint at entry -> dump code

    View Slide

  26. How to Get Around Them
    .cctor is used to init itself (static
    constructor) and is called for each Type.
    Unpacking can occur at .cctor as it is
    called before static members are
    referenced or before the first instance
    object is created.
    Program::Main() executes
    Program::.cctor() beforehand.
    Breakpoint at ::.cctor() -> dump
    code

    View Slide

  27. de4dot
    De4dot does this for us.
    Contains 21 deobfuscator modules.
    de4dot program.exe -o
    program_deobfuscated.exe
    Not rolled into DnSpy. Gray Wolf has
    this native.

    View Slide

  28. Attacking .NET
    Applications in Memory

    View Slide

  29. Types of Attacks
    CLR to abuse raw objects on managed
    heap
    Manipulate AppDomains to control
    loaded code and Just-In-Time Compilation
    Attack with ASM due to RWX JIT
    • Alter control flow
    Post-exploitation Techniques or Local
    Binaries

    View Slide

  30. Tools
    https://github.com/GrayKernel
    Gray Frost & Gray Storm
    .NET CLR Bootstrapper and Memory
    Attack Platform

    View Slide

  31. Gray Frost
    2 round payload delivery system
    C++ .NET CLR Bootstrapper
    Creates or injects 4.0 runtime
    Pivots into 2.0 runtime if needed
    Contains raw payload for round 2

    View Slide

  32. Gray Storm
    Reconnaissance and In-memory attack
    payload
    Features
    Attacking the .NET JIT
    Attacking .NET at the ASM level
    Utilize objects on the Managed Heap

    View Slide

  33. Method Table Hijack
    Method Tables contain address of JIT
    stub for a class’s methods.
    During JIT the Method Table is referenced
    We can control the address

    View Slide

  34. ASM Payloads
    Address of a method known through
    Reflection
    Overwrite method logic with new ASM

    View Slide

  35. Finding Objects at Runtime
    i. Construct an object and find
    location of Managed Heap
    ii. Signature instantiated type
    iii. Scan Managed Heap for object
    pointers
    iv. Convert object pointers to raw
    objects
    http://www.tophertimzen.com/blog/dotNetHeapObjects/

    View Slide

  36. CLRMD
    Microsoft.Diagnostics.Runtime.CLRMD
    Makes object hunting a lot easier but
    increases overhead.
    • Practical for game hacking, attacks
    that can touch disk, etc.
    Object Control = Power

    View Slide

  37. Automation

    View Slide

  38. Automation
    GrayFrost can be used with automated
    payloads

    View Slide

  39. Application Weaknesses

    View Slide

  40. Key Weaknesses in .NET
    Due to runtime reflection you cannot
    store any secrets
    • All code is viewable!
    Update systems are easy to manipulate
    • Ensure app is using secure update
    mechanisms
    • See MitM KeePass
    Licensing Mechanisms
    Poor Communications Security

    View Slide

  41. Defense Techniques

    View Slide

  42. Reversing
    Just add this to EULA. Hackers listen. and read EULA.
    DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS.
    Limitations on Reverse Engineering, Decompilation,
    Disassembly and change (add,delete or modify) the
    resources in the compiled the assembly.
    You may not reverse engineer, decompile, or disassemble the
    SOFTWARE PRODUCT, except and only to the extent that
    such activity is expressly permitted by applicable law
    notwithstanding this limitation.

    View Slide

  43. EMET
    Attack Surface Reduction (ASR)
    prevents DLL Injection
    • Mostly dead technique with modern
    mitigations.
    – Requires local access.

    View Slide

  44. Defensive Code
    Write good Defensive .NET Applications
    • Depends what you want to protect.
    Don’t expose secrets
    If you want to pretend to hide code use
    a C++ DLL and import it

    View Slide

  45. Conclusion

    View Slide

  46. More .NET at ToorCamp!
    Jon McCoy Friday June 10th @ 16:00
    Workshop
    • Hacking .NET/C# Applications: Hands on Black
    Arts
    • Today @ 1700

    View Slide

  47. Questions?
    Contact Me
    @TTimzen
    https://www.tophertimzen.com
    Get Gray Frost and Storm
    github.com/graykernel

    View Slide