Presentation is loading. Please wait.

Presentation is loading. Please wait.

.NET Framework: Backdoors

Published byChristian Clausen Modified over 6 years ago

Similar presentations

Presentation on theme: ".NET Framework: Backdoors"— Presentation transcript:

1 .NET Framework: Backdoors
Erez Metula Presentation: Saffi Keisari

2 Content .Net Framework Rootkit .Net Framework Overview
Steps & Tools for changing the Framework (Rootkit Examples) Using .Net Tools Another Example .Net Vs. Java .Net Sploit Tool Questions

3 .Net Framework RootKits
A rootkit is a software system that designed to obscure the fact that a system has been changed It requires prior administrator access to execute and tamper the system files and processes Typically, rootkits act to obscure their presence on the system through subversion or evasion of standard operating system security scan There are at least five kinds of rootkits: firmware, hypervisor, kernel, library, and application level kits (Wiki)

4 Malware development scenarios
Changing a language class libraries can lead to some very interesting attacks: • Code manipulation, API Hooking • Authentication Backdoors • Sensitive data theft • Resource hiding (file, process, port…) • Covert Channels / reverse shells • Proxy (bouncer), DNS fixation, MitM.. • Polymorphism attacks • Disabling security mechanisms

5 Overview of the Common Language Infrastructure

6 .NET Framework Architecture
IL DLL

7 .Net GAC Each computer where the common language runtime is installed has a machine-wide code cache called the global assembly cache. The global assembly cache stores assemblies specifically designated to be shared by several applications on the computer. (MSDN) DLL is identified by 5 parts: Name Version Architecture Culture Public Key

8 Steps & Tools for changing the Framework
Locate the DLL in the GAC, and copy it outside Analyze the DLL Decompile the DLL using ildasm Modify the MSIL code Recompile to a new DLL using ilasm Bypass the GAC strong name protection Reverting back from NGEN Native DLL Deploy the new DLL while overwriting the original

9 Using .Net Tools Filemon – locating which DLL’s are used and their location in the GAC (Replaced by Process Monitor of SysInternal) Reflector – analyzing the DLL code Ilasm – compiling (MSIL DLL) Ildasm – decompiling (DLL MSIL) Text editor – modifying the MSIL code (notepad ++) Ngen - native compiler

10 (1) Locate the DLL C# IL DLL

11 (2) analyzing the DLL code - Reflector (C#)
IL DLL

12 (2) analyzing the DLL code - Reflector (IL)

13 (3) Decompile the DLL – Using ILDASM
ildasm /OUT=mscorlib.dll.il /NOBAR /LINENUM /SOURCE c:\Windows\assembly\GAC_32\mscorlib\ __b77a5c561934e089\mscorlib.dll .method public hidebysig static void WriteLine(string 'value') cil managed { .permissionset linkcheck = {class 'System.Security.Permissions.HostProtectionAttribute, mscorlib, Version= , Culture=neutral, PublicKeyToken=b77a5c561934e089' = {property bool 'UI' = bool(true)}} // Code size (0xc) .maxstack 8 IL_0000: call class System.IO.TextWriter System.Console::get_Out() IL_0005: ldarg.0 IL_0006: callvirt instance void System.IO.TextWriter::WriteLine(string) IL_000b: ret } // end of method Console::WriteLine Method Signature Stack Size Method MSIL Code C# IL DLL

14 (4) Modify the MSIL Code C# IL DLL Stack Size
ildasm /OUT=mscorlib.dll.il /NOBAR /LINENUM /SOURCE c:\Windows\assembly\GAC_32\mscorlib\ __b77a5c561934e089\mscorlib.dll .method public hidebysig static void WriteLine(string 'value') cil managed { .permissionset linkcheck = {class 'System.Security.Permissions.HostProtectionAttribute, mscorlib, Version= , Culture=neutral, PublicKeyToken=b77a5c561934e089' = {property bool 'UI' = bool(true)}} // Code size (0xc) .maxstack 16 IL_0000: call class System.IO.TextWriter System.Console::get_Out() IL_0005: ldarg.0 IL_0006: callvirt instance void System.IO.TextWriter::WriteLine(string) IL_000b: call class System.IO.TextWriter System.Console::get_Out() IL_0010: ldarg.0 IL_0011: callvirt instance void System.IO.TextWriter::WriteLine(string) IL_0016: ret } // end of method Console::WriteLine Stack Size C# IL DLL

15 (5) Recompile to new DLL – Using ILDASM
ILASM /DEBUG /DLL /QUIET /OUTPUT=mscorlib.dll mscorlib.dll.il ILASM /DEBUG /DLL /QUIET /OUTPUT=mscorlib.dll mscorlib.dll.il Try to copy to GAC Library but… C# IL DLL

16 (6) Copy new DLL to GAC Library
copy mscorlib.dll c:\WINDOWS\assembly\GAC_32\mscorlib\ __b77a5c561934e089\

17 (6) My Computer Account - Administrator

18 (6) Bypass the GAC strong names protection
What is Strong Names ? .NET assembly loader does not verify an assembly when loading it from the GAC.

19 (7) Reverting back from NGEN Native DLL
There is some caching mechanism that is using a pre-compiled native version of the original mscorlib.dll (the old version). Run in command line the following: >ngen uninstall mscorlib >rd /s /q c:\WINDOWS\assembly\NativeImages_v _32\mscorlib

20 (8) Deploy the new DLL (overwriting)
Run the application

21 Another Example Till Now we changed exist method in .Net Framework
Now we will add new method to .Net Framework

22 Another Example (Continue)

23 Another Example (Continue) Hooking into “FormsAuthentication::Autheticate()” (.NET/Windows)

24 .Net RootKits

25 Java RootKits

26 .Net Vs. Java

27 .Net Sploit Tool

28 Questions ?

29 Strong Name Sign Tool sn [-quiet][option [parameter(s)]]
Strong names guarantee name uniqueness by relying on unique key pairs Strong names protect the version lineage of an assembly Strong names provide a strong integrity check sn [-quiet][option [parameter(s)]]

30 .Net Assembly - Strong Name Signing

31 .Net Assembly - Strong Name Signing
What does it mean to sign an assembly? .NET uses digital signatures to verify the integrity of an assembly. The signatures are generated and verified using public key cryptography, specifically the RSA public key algorithm and SHA-1 hash algorithm. The developer uses a pair of cryptographic keys: a public key, which everyone can see, and a private key, which the developer must keep secret. How do I sign an assembly? When you compile your assembly with a strong name key file, the compiler digitally signs the assembly: The compiler calculates the cryptographic digest (a hash) of your assembly contents. This is known as the compile-time digest. Modifying just a single byte of your assembly will change this hash value. The compiler encrypts the digest using the 1024-bit private key from your public-private key pair file. The compiler then stores the encrypted digest and public key into the assembly.

32 .Net Assembly - Strong Name Signing
How does the system verify a signed assembly? Sometime later, when an application attempts to load your signed assembly: The .NET assembly loader calculates the cryptographic digest of the current assembly contents. This is known as the run-time digest. The loader extracts the stored compile-time digest and public key from the assembly. The loader uses the public key to decrypt the compile-time digest. The loader then compares the run-time digest with the decrypted compile-time digest to ensure they match. If not, then the assembly has been modified since you compiled it, and the assembly load fails. This process is different when loading shared assemblies from the GAC. Because assemblies are verified when they are first installed into the GAC–and they cannot be modified while in the GAC–the .NET assembly loader does not verify an assembly when loading it from the GAC. This can improve the startup speed of your application if you load many shared assemblies.

Download ppt ".NET Framework: Backdoors"

Similar presentations

By Sam Nasr September 28, 2004 Understanding MSIL.

By Sam Nasr September 28, 2004 Understanding MSIL.
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 16 Secure Coding in Java and.NET Part 1: Fundamentals.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 16 Secure Coding in Java and.NET Part 1: Fundamentals.
.NET Framework Overview

.NET Framework Overview
Using.NET Platform Note: Most of the material of these slides have been taken & extended from Nakov’s excellent overview for.NET framework, MSDN and wikipedia.

Using.NET Platform Note: Most of the material of these slides have been taken & extended from Nakov’s excellent overview for.NET framework, MSDN and wikipedia.
Network Security: Lab#2 J. H. Wang Apr. 28, 2011.

Network Security: Lab#2 J. H. Wang Apr. 28, 2011.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
.NET IL Obfuscation Presented by: Sarath Chandra Dorbala.

.NET IL Obfuscation Presented by: Sarath Chandra Dorbala.
Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.

Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.
LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.

LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Managed Code Rootkits Hooking into Runtime Environments Erez Metula | Founder Application Security Consultant & Trainer April 23,

Managed Code Rootkits Hooking into Runtime Environments Erez Metula | Founder Application Security Consultant & Trainer April 23,
Cryptographic Technologies

Cryptographic Technologies
NET Framework Rootkits: Backdoors inside your Framework

NET Framework Rootkits: Backdoors inside your Framework
Assembly Where it all gets physical. Objectives Introduce concepts of assemblies Discuss elements of assemblies Show how to build assemblies Runtime aspects.

Assembly Where it all gets physical. Objectives Introduce concepts of assemblies Discuss elements of assemblies Show how to build assemblies Runtime aspects.
ASP.Net Security: Fundamentals Chapters 1-4 Freeman and Jones Book.

ASP.Net Security: Fundamentals Chapters 1-4 Freeman and Jones Book.
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.

ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
Encryption Methods By: Michael A. Scott 20140508.

Encryption Methods By: Michael A. Scott
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Page 1 Sandboxing & Signed Software Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.

Page 1 Sandboxing & Signed Software Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Secure Systems Research Group - FAU Patterns for Digital Signature using hashing Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Patterns for Digital Signature using hashing Presented by Keiko Hashizume.

Similar presentations

Ads by Google