.NET ReversingThe Framework, the Myth, the Legend

(maple syrup edition)

This is the slide where I list my resume

• I do appsec for financial companies• Not a consultant

• Wrote my first app in Qbasic• Microsoft 4 lyfe wut wut

• Curator of securityreactions.tumblr.com

• Staring at the sun made me crazy

Why .NET?

Current state of Java security

Pool’s closed

Source: http://www.veracode.com/blog/2013/04/the-history-of-programming-languages-infographic/

.NET – Common Language Infrastructure

Common Language Infrastructure

Thanks, Wikipedia

Common Intermediate Languageprivate void button1_Click(object sender, EventArgs e){

MessageBox.Show("I am in a hell of my own creation");}

.method private hidebysiginstance void button1_Click (

object sender,class [mscorlib]System.EventArgs e

) cil managed{

// Method begins at RVA 0x221f// Code size 13 (0xd).maxstack 8

IL_0000: nopIL_0001: ldstr "I am in a hell of my own creation"IL_0006: call valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult

[System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string)IL_000b: popIL_000c: ret

} // end of method Form1::button1_Click

.NET PE File Format

PE Format - Metadata Streams

• #~ (metadata stream)• Predefined content and structure• Contains types, methods, fields, properties and events

• #Strings• Namespace, type, and member names

• #US (user string heap)• All strings embedded in source

• #GUID• Unique identifier

• #Blob (binary data heap)• Method signatures, generic instantiations

The #~ Stream: Metadata Tables

• 0×2: TypeDef

• 0×4: FieldDef

• 0×6: MethodDef

• 0×14: EventDef

• 0×17: PropertyDef• Types, fields, methods, events and

properties

• 0×1: TypeRef• Referenced types defined in other

assemblies

• 0xa: MemberRef• Referenced members of types defined in

other assemblies.

• 0×9: InterfaceImpl• Defined types and the interfaces that

type implements

• 0xc: CustomAttribute• Info on attributes applied to elements in

the assembly

• 0×18: MethodSemantics• Links properties and events with the

methods that comprise the get/set or add/remove methods of the property or method.

• 0x1b: TypeSpec

• 0x2b: MethodSpec• Instantiations of generic types and

methods

Browsing a .NET PE: CFF Explorer

#~: MethodDef tables

#Str

ings

Tab

les

I heard you like mudkips obfuscators

Smar

tAss

embly

Agile.

NET

dotFusc

ator

Crypto

Obfu

scat

or

Your M

om

String Encryption X X X X

Dependency Merging X X

Method Parent Obfuscation X

Control Flow Obfuscation X X X X

Filthy Tramp X

Symbol Renaming X X X

Tamper Detection X X X

Resource Encryption X X X

Assembly Encryption X

:(

:|

…I’ll just leave this here

Overcoming Obfuscation

• Symbol Renaming• Not possible if the original symbols are not in the assembly

• Can convert unprintable names to something resembling English

• Decryption

• Removal of proxy code / junk classes

• Removal of tamper detection

• Move methods back to their original classes

• “Sometimes, dead is better.”

Proof of Concept: Reversing Reflector

Goal: Add new functionality to existing binary

• To Do:• Remove strong name singing to permit modification

• Identify where toolbar is created and icons defined• Create new icon

• Locate event handler for icon click event• Create new event handler

• Inject DLL containing our new functionality • Have our new event handler reference this code

Strong Name Signing

Locatin

g too

lbar

Adding new toolbar icon: Injecting IL

Toolbar, continued: new IL

IL_01ae: ldarg.0IL_01af: ldarg.1IL_01b0: call class [System.Drawing]System.Drawing.Image ns36.Class476::get_Nyan()IL_01b5: ldstr "Nyan!"IL_01ba: ldc.i4.0IL_01bb: ldstr "Application.Nyan"IL_01c0: call instance void ns30.Class269::method_29(class Reflector.ICommandBar, class [S

ystem.Drawing]System.Drawing.Image, string, valuetype [System.Windows.Forms]System.Windows.Forms.Keys, string)

IL_01c5: ldarg.1IL_01c6: callvirt instance class Reflector.ICommandBarItemCollection

Reflector.ICommandBar::get_Items()IL_01cb: callvirt instance class Reflector.ICommandBarSeparator

Reflector.ICommandBarItemCollection::AddSeparator()IL_01d0: pop

Too

lbar co

ntin

ued

: M

od

ifying in

line reso

urce

Locatin

g event h

and

lerprivate void method_26(ICommandBar toolBar) { if (toolBar != null) {

Class511 typedService = (Class511) this.GetTypedService<ILanguageManager>();this.method_29(toolBar, Class476.Back, "&Back", Keys.Alt | Keys.Left,

"AssemblyBrowser.GoBack");toolBar.Items.AddSeparator(); this.method_29(toolBar, Class476.Open, "&Open...", Keys.Control | Keys.O,

"Application.OpenFile"); …

toolBar.Items.AddSeparator(); this.method_29(toolBar, Class476.Nyan, "Nyan!", Keys.None, "Application.Nyan"); toolBar.Items.AddSeparator();

}

Event h

and

ler, con

tinu

edpublic void Execute(string commandName) {

string key = commandName; if (key != null) {

int num; if (Class722.dictionary_4 == null) {

Dictionary<string, int> dictionary1 = new Dictionary<string, int>(0x10);

dictionary1.Add("Application.OpenFile", 0); dictionary1.Add("Application.OpenCache", 1); dictionary1.Add("Application.OpenList", 2); dictionary1.Add("Application.CloseFile", 3);

…Class722.dictionary_4 = dictionary1;

}

if (Class722.dictionary_4.TryGetValue(key, out num)) {

switch (num) { case 0: this.method_45(); break; case 1: this.method_46(); break; case 2: this.method_47(); break;

…

}

Ad

din

g IL to Execu

te()IL_00c1: ldc.i4.s 13IL_00c3: call instance void class [mscorlib]System.Collections.Generic.Dictionary`2<

string, int32>::Add(!0, !1)IL_00c8: dupIL_00c9: ldstr "Application.Deactivate"IL_00ce: ldc.i4.s 14IL_00d0: call instance void class [mscorlib]System.Collections.Generic.Dictionary`2<

string, int32>::Add(!0, !1)IL_00d5: dupIL_00d6: ldstr "Application.Nyan"IL_00db: ldc.i4.s 15IL_00dd: call instance void class [mscorlib]System.Collections.Generic.Dictionary`2<

string, int32>::Add(!0, !1)

…

IL_01b8: ldarg.0IL_01b9: call instance void ns30.Class269::method_65()IL_01be: leave.s IL_01c8

IL_01c0: ldarg.0IL_01c1: call instance void ns30.Class269::nyan()IL_01c6: leave.s IL_01c8

Creatin

g n

s30

.Class2

69

::nyan

()

ns30.Class269::nyan() CIL

.method private hidebysiginstance void nyan () cil managed

{

.maxstack 8

IL_0000: newobj instance void [derp]derp.hurr::.ctor()IL_0005: callvirt instance void [derp]derp.hurr::showForm()IL_000a: ret

private void nyan(){

new hurr().showForm();}

Where are these classes implemented?

Ad

din

g new

DLL to

Reflecto

r

…aaaaaand we’re done Let’s launch it.

References and Resources

• Anatomy of a .NET Assembly• https://www.simple-talk.com/blogs/2011/03/16/anatomy-of-a-net-assembly-clr-metadata-1/

• CFF Explorer – PE Browser• http://www.ntcore.com/exsuite.php

• ILSpy Decompiler• http://ilspy.net/

• RedGate (SmartAssembly, Reflector, Obfuscation Checker)• http://www.red-gate.com/products/dotnet-development/

• Reflexil – RedGate plugin for CIL injection• http://reflexil.net/

• CodeSearch – RedGate plugin, does what it says• http://reflectoraddins.codeplex.com/wikipage?title=CodeSearch

• De4dot Deobfuscator• https://bitbucket.org/0xd4d/de4dot/

Questions?

• Twitter: @aloria

• Email: george.sims@jukt-micronics.com

• Blog: http://jukt-micronics.com

Special thanks to: AP, CS, CV, BN, DDZ, EK, RL, SR, ZC, ZL and the fine folks at CompuServe for inventing GIF89a