.NET Reversing Reversing....NET Reversing The Framework, the Myth, the Legend (maple syrup edition)...
Transcript of .NET Reversing Reversing....NET Reversing The Framework, the Myth, the Legend (maple syrup edition)...
.NET ReversingThe Framework, the Myth, the Legend
(maple syrup edition)
This is the slide where I list my resume
• I do appsec for financial companies• Not a consultant
• Wrote my first app in Qbasic• Microsoft 4 lyfe wut wut
• Curator of securityreactions.tumblr.com
• Staring at the sun made me crazy
Why .NET?
Current state of Java security
Pool’s closed
Source: http://www.veracode.com/blog/2013/04/the-history-of-programming-languages-infographic/
.NET – Common Language Infrastructure
Common Language Infrastructure
Thanks, Wikipedia
Common Intermediate Languageprivate void button1_Click(object sender, EventArgs e){
MessageBox.Show("I am in a hell of my own creation");}
.method private hidebysiginstance void button1_Click (
object sender,class [mscorlib]System.EventArgs e
) cil managed{
// Method begins at RVA 0x221f// Code size 13 (0xd).maxstack 8
IL_0000: nopIL_0001: ldstr "I am in a hell of my own creation"IL_0006: call valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult
[System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string)IL_000b: popIL_000c: ret
} // end of method Form1::button1_Click
.NET PE File Format
PE Format - Metadata Streams
• #~ (metadata stream)• Predefined content and structure• Contains types, methods, fields, properties and events
• #Strings• Namespace, type, and member names
• #US (user string heap)• All strings embedded in source
• #GUID• Unique identifier
• #Blob (binary data heap)• Method signatures, generic instantiations
The #~ Stream: Metadata Tables
• 0×2: TypeDef
• 0×4: FieldDef
• 0×6: MethodDef
• 0×14: EventDef
• 0×17: PropertyDef• Types, fields, methods, events and
properties
• 0×1: TypeRef• Referenced types defined in other
assemblies
• 0xa: MemberRef• Referenced members of types defined in
other assemblies.
• 0×9: InterfaceImpl• Defined types and the interfaces that
type implements
• 0xc: CustomAttribute• Info on attributes applied to elements in
the assembly
• 0×18: MethodSemantics• Links properties and events with the
methods that comprise the get/set or add/remove methods of the property or method.
• 0x1b: TypeSpec
• 0x2b: MethodSpec• Instantiations of generic types and
methods
Browsing a .NET PE: CFF Explorer
#~: MethodDef tables
#Str
ings
Tab
les
I heard you like mudkips obfuscators
Smar
tAss
embly
Agile.
NET
dotFusc
ator
Crypto
Obfu
scat
or
Your M
om
String Encryption X X X X
Dependency Merging X X
Method Parent Obfuscation X
Control Flow Obfuscation X X X X
Filthy Tramp X
Symbol Renaming X X X
Tamper Detection X X X
Resource Encryption X X X
Assembly Encryption X
:(
:|
…I’ll just leave this here
Overcoming Obfuscation
• Symbol Renaming• Not possible if the original symbols are not in the assembly
• Can convert unprintable names to something resembling English
• Decryption
• Removal of proxy code / junk classes
• Removal of tamper detection
• Move methods back to their original classes
• “Sometimes, dead is better.”
Proof of Concept: Reversing Reflector
Goal: Add new functionality to existing binary
• To Do:• Remove strong name singing to permit modification
• Identify where toolbar is created and icons defined• Create new icon
• Locate event handler for icon click event• Create new event handler
• Inject DLL containing our new functionality • Have our new event handler reference this code
Strong Name Signing
Locatin
g too
lbar
Adding new toolbar icon: Injecting IL
Toolbar, continued: new IL
IL_01ae: ldarg.0IL_01af: ldarg.1IL_01b0: call class [System.Drawing]System.Drawing.Image ns36.Class476::get_Nyan()IL_01b5: ldstr "Nyan!"IL_01ba: ldc.i4.0IL_01bb: ldstr "Application.Nyan"IL_01c0: call instance void ns30.Class269::method_29(class Reflector.ICommandBar, class [S
ystem.Drawing]System.Drawing.Image, string, valuetype [System.Windows.Forms]System.Windows.Forms.Keys, string)
IL_01c5: ldarg.1IL_01c6: callvirt instance class Reflector.ICommandBarItemCollection
Reflector.ICommandBar::get_Items()IL_01cb: callvirt instance class Reflector.ICommandBarSeparator
Reflector.ICommandBarItemCollection::AddSeparator()IL_01d0: pop
Too
lbar co
ntin
ued
: M
od
ifying in
line reso
urce
Locatin
g event h
and
lerprivate void method_26(ICommandBar toolBar) { if (toolBar != null) {
Class511 typedService = (Class511) this.GetTypedService<ILanguageManager>();this.method_29(toolBar, Class476.Back, "&Back", Keys.Alt | Keys.Left,
"AssemblyBrowser.GoBack");toolBar.Items.AddSeparator(); this.method_29(toolBar, Class476.Open, "&Open...", Keys.Control | Keys.O,
"Application.OpenFile"); …
toolBar.Items.AddSeparator(); this.method_29(toolBar, Class476.Nyan, "Nyan!", Keys.None, "Application.Nyan"); toolBar.Items.AddSeparator();
}
Event h
and
ler, con
tinu
edpublic void Execute(string commandName) {
string key = commandName; if (key != null) {
int num; if (Class722.dictionary_4 == null) {
Dictionary<string, int> dictionary1 = new Dictionary<string, int>(0x10);
dictionary1.Add("Application.OpenFile", 0); dictionary1.Add("Application.OpenCache", 1); dictionary1.Add("Application.OpenList", 2); dictionary1.Add("Application.CloseFile", 3);
…Class722.dictionary_4 = dictionary1;
}
if (Class722.dictionary_4.TryGetValue(key, out num)) {
switch (num) { case 0: this.method_45(); break; case 1: this.method_46(); break; case 2: this.method_47(); break;
…
}
Ad
din
g IL to Execu
te()IL_00c1: ldc.i4.s 13IL_00c3: call instance void class [mscorlib]System.Collections.Generic.Dictionary`2<
string, int32>::Add(!0, !1)IL_00c8: dupIL_00c9: ldstr "Application.Deactivate"IL_00ce: ldc.i4.s 14IL_00d0: call instance void class [mscorlib]System.Collections.Generic.Dictionary`2<
string, int32>::Add(!0, !1)IL_00d5: dupIL_00d6: ldstr "Application.Nyan"IL_00db: ldc.i4.s 15IL_00dd: call instance void class [mscorlib]System.Collections.Generic.Dictionary`2<
string, int32>::Add(!0, !1)
…
IL_01b8: ldarg.0IL_01b9: call instance void ns30.Class269::method_65()IL_01be: leave.s IL_01c8
IL_01c0: ldarg.0IL_01c1: call instance void ns30.Class269::nyan()IL_01c6: leave.s IL_01c8
Creatin
g n
s30
.Class2
69
::nyan
()
ns30.Class269::nyan() CIL
.method private hidebysiginstance void nyan () cil managed
{
.maxstack 8
IL_0000: newobj instance void [derp]derp.hurr::.ctor()IL_0005: callvirt instance void [derp]derp.hurr::showForm()IL_000a: ret
private void nyan(){
new hurr().showForm();}
Where are these classes implemented?
Ad
din
g new
DLL to
Reflecto
r
…aaaaaand we’re done Let’s launch it.
References and Resources
• Anatomy of a .NET Assembly• https://www.simple-talk.com/blogs/2011/03/16/anatomy-of-a-net-assembly-clr-metadata-1/
• CFF Explorer – PE Browser• http://www.ntcore.com/exsuite.php
• ILSpy Decompiler• http://ilspy.net/
• RedGate (SmartAssembly, Reflector, Obfuscation Checker)• http://www.red-gate.com/products/dotnet-development/
• Reflexil – RedGate plugin for CIL injection• http://reflexil.net/
• CodeSearch – RedGate plugin, does what it says• http://reflectoraddins.codeplex.com/wikipage?title=CodeSearch
• De4dot Deobfuscator• https://bitbucket.org/0xd4d/de4dot/
Questions?
• Twitter: @aloria
• Email: [email protected]
• Blog: http://jukt-micronics.com
Special thanks to: AP, CS, CV, BN, DDZ, EK, RL, SR, ZC, ZL and the fine folks at CompuServe for inventing GIF89a