ToorCamp 2016 - Reverse Engineering & Attacking .NET Applications

Transcript

1. Reverse Engineering and Attacking .NET Applications Topher Timzen

2. Topher Timzen Security Researcher, Intel @TTimzen TopherTimzen.com #whoami

3. Overview Intro to the .NET Reverse Engineering .NET Attacking .NET

   Runtime Defense Strategies Next Steps

4. Intro to .NET

5. What is .NET Common Language Runtime (CLR) • Manages execution

   of .NET programs. • Responsible for Just-in-time compilation, Memory management, type safety, garbage collection, etc. • CLR 2.0 and CLR 4.0 are both widely used. • Open Sourced (kind-of) http://referencesource.microsoft.com/ Common Intermediate Language (CIL) • Independent set of instructions converted to native machine language through implicit complication. • Memory is allocated for the assembly per JIT. • Marked as RWX

6. C# v. CIL v. ASM

7. C# v. CIL v. ASM

8. C# v. CIL v. ASM

9. Runtime .NET Process CLR (2.0/4.0) & AppDomains Assemblies (.EXE and

   .DLL(s)) Objects Properties Fields Instance Methods Classes Methods Logic

10. Reverse Engineering .NET

11. Tools of the Trade SOS.DLL & WinDbg DnSpy De4dot Runtime

    Reflection

12. WinDbg & SOS The best one liner in history (for

    .NET) Loads Son of Strike (SOS.DLL) !for_each_module .if(($sicmp( "@#ModuleName" , "mscorwks") = 0) ) {.loadby sos mscorwks} .elsif ($sicmp( "@#ModuleName" , "clr") = 0) {.loadby sos clr}

13. JIT Transformation of IL to native ASM Only JITs when

    a method is called! • Objects Garbage Collected unless pinned – Everything in .NET is System.Object (Remember Java?) • We can use this to our advantage later.

14. JIT WinDbg helps us view JIT patterns 1) !dumpdomain 2)

    !dumpmodule –mt <domain MT> 3) !dumpmt –md <module MT> PreJIT is native .NET None = not yet JIT JIT = JIT’d

15. JIT WinDbg helps us view JIT patterns !dumpdomain

16. JIT WinDbg helps us view JIT patterns !dumpmodule –mt <domain

    MT>

17. JIT WinDbg helps us view JIT patterns !dumpmt –md <module

    MT>

18. Hooking JIT Mscorjit/Clrjit.dll Can hook jit.dll::compileMethod VTable entry Useful to

    determine code flow / event tracing https://github.com/UbbeLoL/SJITHook

19. Managed Heap Storage point for .NET Objects New reference objects

    added to heap Garbage Collector removes dead objects http://www.tophertimzen.com/blog/dotNetHeapObjects/

20. Runtime Objects All objects are pointers to a location on

    the Managed Heap. !dumpheap !dumpheap –mt <method table> !dumpobj <object address>

21. System.Reflection View metadata of AppDomains & Assemblies Contains method body,

    IL, Method signature, classes, type information, etc. • Ability to view all metadata! Essentially every .NET RE tool uses reflection as primary means of obtaining metadata

22. Reflection https://github.com/tophertimzen/reflectionDemo

23. DnSpy https://github.com/0xd4d/dnSpy Branded as an “.NET assembly editor, decompiler, and

    debugger” Great for IL Editing – On-Disk Attacking

24. What .NET Packers Do Obfuscated .NET is still object-oriented and

    contains all needed metadata. Static DEobfuscators work well with .NET as .NET obfuscators/packers cannot really do a whole lot. • Really just refactor code to be ugly.

25. How to Get Around Them System.Reflection.Assebmly.Load is used to decompress/decrypt

    the assembly before running it. • Breakpoint at entry -> dump code

26. How to Get Around Them .cctor is used to init

    itself (static constructor) and is called for each Type. Unpacking can occur at .cctor as it is called before static members are referenced or before the first instance object is created. Program::Main() executes Program::.cctor() beforehand. Breakpoint at <module>::.cctor() -> dump code

27. de4dot De4dot does this for us. Contains 21 deobfuscator modules.

    de4dot program.exe -o program_deobfuscated.exe Not rolled into DnSpy. Gray Wolf has this native.

28. Attacking .NET Applications in Memory

29. Types of Attacks CLR to abuse raw objects on managed

    heap Manipulate AppDomains to control loaded code and Just-In-Time Compilation Attack with ASM due to RWX JIT • Alter control flow Post-exploitation Techniques or Local Binaries

30. Tools https://github.com/GrayKernel Gray Frost & Gray Storm .NET CLR Bootstrapper

    and Memory Attack Platform

31. Gray Frost 2 round payload delivery system C++ .NET CLR

    Bootstrapper Creates or injects 4.0 runtime Pivots into 2.0 runtime if needed Contains raw payload for round 2

32. Gray Storm Reconnaissance and In-memory attack payload Features Attacking the

    .NET JIT Attacking .NET at the ASM level Utilize objects on the Managed Heap

33. Method Table Hijack Method Tables contain address of JIT stub

    for a class’s methods. During JIT the Method Table is referenced We can control the address

34. ASM Payloads Address of a method known through Reflection Overwrite

    method logic with new ASM

35. Finding Objects at Runtime i. Construct an object and find

    location of Managed Heap ii. Signature instantiated type iii. Scan Managed Heap for object pointers iv. Convert object pointers to raw objects http://www.tophertimzen.com/blog/dotNetHeapObjects/

36. CLRMD Microsoft.Diagnostics.Runtime.CLRMD Makes object hunting a lot easier but increases

    overhead. • Practical for game hacking, attacks that can touch disk, etc. Object Control = Power

37. Automation

38. Automation GrayFrost can be used with automated payloads

39. Application Weaknesses

40. Key Weaknesses in .NET Due to runtime reflection you cannot

    store any secrets • All code is viewable! Update systems are easy to manipulate • Ensure app is using secure update mechanisms • See MitM KeePass Licensing Mechanisms Poor Communications Security

41. Defense Techniques

42. Reversing Just add this to EULA. Hackers listen. and read

    EULA. DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS. Limitations on Reverse Engineering, Decompilation, Disassembly and change (add,delete or modify) the resources in the compiled the assembly. You may not reverse engineer, decompile, or disassemble the SOFTWARE PRODUCT, except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation.

43. EMET Attack Surface Reduction (ASR) prevents DLL Injection • Mostly

    dead technique with modern mitigations. – Requires local access.

44. Defensive Code Write good Defensive .NET Applications • Depends what

    you want to protect. Don’t expose secrets If you want to pretend to hide code use a C++ DLL and import it

45. Conclusion

46. More .NET at ToorCamp! Jon McCoy Friday June 10th @

    16:00 Workshop • Hacking .NET/C# Applications: Hands on Black Arts • Today @ 1700

47. Questions? Contact Me @TTimzen https://www.tophertimzen.com Get Gray Frost and Storm

    github.com/graykernel