NET Reversing

.NET Reversing
The Framework, the Myth, the Legend
(maple syrup edition)
This is the slide where I list my resume
• I do appsec for financial companies
• Not a consultant
• Wrote my first app in Qbasic
• Microsoft 4 lyfe wut wut
• Curator of securityreactions.tumblr.com
• Staring at the sun made me crazy
Why .NET?
Current state of Java security
Pool’s closed
Source: http://www.veracode.com/blog/2013/04/the-history-of-programming-languages-infographic/
.NET – Common Language Infrastructure
Common Language Infrastructure
Thanks, Wikipedia
Common Intermediate Language
private void button1_Click(object sender, EventArgs e)
{
MessageBox.Show("I am in a hell of my own creation");
}
.method private hidebysig
instance void button1_Click (
object sender,
class [mscorlib]System.EventArgs e
) cil managed
{
// Method begins at RVA 0x221f
// Code size 13 (0xd)
.maxstack 8
IL_0000: nop
IL_0001: ldstr "I am in a hell of my own creation"
IL_0006: call valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult
[System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string)
IL_000b: pop
IL_000c: ret
} // end of method Form1::button1_Click
.NET PE File Format
PE Format - Metadata Streams
• #~ (metadata stream)
• Predefined content and structure
• Contains types, methods, fields, properties and events
• #Strings
• Namespace, type, and member names
• #US (user string heap)
• All strings embedded in source
• #GUID
• Unique identifier
• #Blob (binary data heap)
• Method signatures, generic instantiations
The #~ Stream: Metadata Tables
•
•
•
•
•
0×2: TypeDef
0×4: FieldDef
0×6: MethodDef
0×14: EventDef
0×17: PropertyDef
• Types, fields, methods, events and
properties
• 0×1: TypeRef
• Referenced types defined in other
assemblies
• 0xa: MemberRef
• Referenced members of types defined in
other assemblies.
• 0×9: InterfaceImpl
• Defined types and the interfaces that
type implements
• 0xc: CustomAttribute
• Info on attributes applied to elements in
the assembly
• 0×18: MethodSemantics
• Links properties and events with the
methods that comprise the get/set or
add/remove methods of the property or
method.
• 0x1b: TypeSpec
• 0x2b: MethodSpec
• Instantiations of generic types and
methods
Browsing a .NET PE: CFF Explorer
#~: MethodDef tables
Strings Tables
#
String Encryption
Dependency Merging
Method Parent Obfuscation
Control Flow Obfuscation
Filthy Tramp
Symbol Renaming
Tamper Detection
Resource Encryption
Assembly Encryption
X
X
X
X
X
X
X
X
X
X
X
Yo
u
rM
om
fu
Ob
to
Cr
yp
sc
at
or
do
tF
u
ET
Ag
ile
.N
Sm
ar
tA
s
se
m
bl
y
sc
at
or
I heard you like mudkips obfuscators
X
X
X
X
X
X
X
X
X
X
X
…I’ll just leave this here
:(
:|
Overcoming Obfuscation
• Symbol Renaming
• Not possible if the original symbols are not in the assembly
• Can convert unprintable names to something resembling English
• Decryption
• Removal of proxy code / junk classes
• Removal of tamper detection
• Move methods back to their original classes
• “Sometimes, dead is better.”
Proof of Concept: Reversing Reflector
Goal: Add new functionality to existing binary
• To Do:
• Remove strong name singing to permit modification
• Identify where toolbar is created and icons defined
• Create new icon
• Locate event handler for icon click event
• Create new event handler
• Inject DLL containing our new functionality
• Have our new event handler reference this code
Strong Name Signing
Locating toolbar
Adding new toolbar icon: Injecting IL
Toolbar, continued: new IL
IL_01ae: ldarg.0
IL_01af: ldarg.1
IL_01b0: call class [System.Drawing]System.Drawing.Image ns36.Class476::get_Nyan()
IL_01b5: ldstr "Nyan!"
IL_01ba: ldc.i4.0
IL_01bb: ldstr "Application.Nyan"
IL_01c0: call instance void ns30.Class269::method_29(class Reflector.ICommandBar, class [S
ystem.Drawing]System.Drawing.Image, string, valuetype [System.Windows.Forms]System.Windows.For
ms.Keys, string)
IL_01c5: ldarg.1
IL_01c6: callvirt instance class Reflector.ICommandBarItemCollection
Reflector.ICommandBar::get_Items()
IL_01cb: callvirt instance class Reflector.ICommandBarSeparator
Reflector.ICommandBarItemCollection::AddSeparator()
IL_01d0: pop
Toolbar continued:
Modifying inline resource
Class511 typedService = (Class511) this.GetTypedService<ILanguageManager>();
this.method_29(toolBar, Class476.Back, "&Back", Keys.Alt | Keys.Left,
"AssemblyBrowser.GoBack");
toolBar.Items.AddSeparator();
this.method_29(toolBar, Class476.Open, "&Open...", Keys.Control | Keys.O,
"Application.OpenFile");
…
toolBar.Items.AddSeparator();
this.method_29(toolBar, Class476.Nyan, "Nyan!", Keys.None, "Application.Nyan");
toolBar.Items.AddSeparator();
}
Locating event handler
private void method_26(ICommandBar toolBar) { if (toolBar != null) {
dictionary1.Add("Application.OpenFile", 0);
dictionary1.Add("Application.OpenCache", 1);
dictionary1.Add("Application.OpenList", 2);
dictionary1.Add("Application.CloseFile", 3);
…
Class722.dictionary_4 = dictionary1;
}
if (Class722.dictionary_4.TryGetValue(key, out num))
{
switch (num) {
case 0: this.method_45(); break;
case 1: this.method_46(); break;
case 2: this.method_47(); break;
…
}
Event handler, continued
public void Execute(string commandName)
{
string key = commandName;
if (key != null)
{
int num;
if (Class722.dictionary_4 == null)
{
Dictionary<string, int> dictionary1 = new Dictionary<string, int>(0x10);
…
IL_01b8: ldarg.0
IL_01b9: call instance void ns30.Class269::method_65()
IL_01be: leave.s IL_01c8
IL_01c0: ldarg.0
IL_01c1: call instance void ns30.Class269::nyan()
IL_01c6: leave.s IL_01c8
Adding IL to Execute()
IL_00c1: ldc.i4.s 13
IL_00c3: call instance void class [mscorlib]System.Collections.Generic.Dictionary`2<
string, int32>::Add(!0, !1)
IL_00c8: dup
IL_00c9: ldstr "Application.Deactivate"
IL_00ce: ldc.i4.s 14
IL_00d0: call instance void class [mscorlib]System.Collections.Generic.Dictionary`2<
string, int32>::Add(!0, !1)
IL_00d5: dup
IL_00d6: ldstr "Application.Nyan"
IL_00db: ldc.i4.s 15
IL_00dd: call instance void class [mscorlib]System.Collections.Generic.Dictionary`2<
string, int32>::Add(!0, !1)
Creating
ns30.Class269::nyan()
ns30.Class269::nyan() CIL
.method private hidebysig
instance void nyan () cil managed
{
.maxstack 8
IL_0000: newobj instance void [derp]derp.hurr::.ctor()
IL_0005: callvirt instance void [derp]derp.hurr::showForm()
IL_000a: ret
Where are these classes implemented?
private void nyan()
{
new hurr().showForm();
}
Adding new DLL to Reflector
…aaaaaand we’re done
Let’s launch it.
References and Resources
• Anatomy of a .NET Assembly
• https://www.simple-talk.com/blogs/2011/03/16/anatomy-of-a-net-assembly-clr-metadata-1/
• CFF Explorer – PE Browser
• http://www.ntcore.com/exsuite.php
• ILSpy Decompiler
• http://ilspy.net/
• RedGate (SmartAssembly, Reflector, Obfuscation Checker)
• http://www.red-gate.com/products/dotnet-development/
• Reflexil – RedGate plugin for CIL injection
• http://reflexil.net/
• CodeSearch – RedGate plugin, does what it says
• http://reflectoraddins.codeplex.com/wikipage?title=CodeSearch
• De4dot Deobfuscator
• https://bitbucket.org/0xd4d/de4dot/
Questions?
• Twitter: @aloria
• Email: george.sims@jukt-micronics.com
• Blog: http://jukt-micronics.com
Special thanks to: AP, CS, CV, BN, DDZ, EK, RL, SR, ZC, ZL and the fine folks at CompuServe for inventing GIF89a