Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
1 of 22

Unpack your troubles*: .NET packer tricks and countermeasures

3

Share

Nowadays, .NET samples are increasingly common, necessitating specialized techniques for processing and analysis, especially when obfuscation is used: .NET packers have many tricks up their sleeves, but fortunately we do too.

*https://en.wikipedia.org/wiki/Pack_Up_Your_Troubles_in_Your_Old_Kit-Bag

Related Books

Free with a 30 day trial from Scribd

See all

Unpack your troubles*: .NET packer tricks and countermeasures

  1. 1. UNPACK YOUR TROUBLES: .NET PACKER TRICKS AND COUNTERMEASURES Marcin Hartung ESET, Poland
  2. 2. UNPACK YOUR TROUBLES: .NET PACKER TRICKS AND COUNTERMEASURES Marcin Hartung hartung@eset.pl Eset Poland At Eset: programmer in the Software Protectors Analysis & Unpacking Team Other: motorbiker, mountain hiker, climber
  3. 3. Outline • Object-oriented file format • .NET analysing • LoadAssembly • UserString • API
  4. 4. Object-oriented file format Source code (C#) Compiler CIL (Common Intermediate Language) Native code JIT (Just- in-time) Compilation Execution The first execution of particular method Executable MZ...
  5. 5. Object-oriented file format Program structure is kept in executable: • Object (classes, methods, fields) in tables • Referenced with tokens in CIL • User method names
  6. 6. Object-oriented file format Program structure is kept in executable: • Object (classes, methods, fields) in tables • Referenced with tokens in CIL • User method names 6F 04 00 00 06 token MethodDef table 4th entry in the table opcode
  7. 7. Analysing .NET samples • Static analysis (decompilers) good for non-protected samples, bad (or imposible) for obfuscation • Deobfuscators support for every new version problem with patched or custom packers
  8. 8. Analysing .NET samples • Debugging symbols, runtime sources winDbg + sos.dll plugin (!bpmd, !dumpmd) • Other emulating, profiling, ...
  9. 9. Packer – next layer loading • Like old-fashioned native packer - decrypt & execute next layer • .NET has special API – Assembly.Load() (some packers, bladabindi malware family, ...) wikipedia.org
  10. 10. Packer – next layer loading Assembly.Load() – solution – catching next layer MZ during loading bp mscorwks!CLRMapViewOfFileEx + 0x26 "da eax" / bp clr!AssemblyNative::LoadFromBuffer "dd (edx - 4) l1; da edx" mscorwks – .NET ~v2.0 - 2.0.50727 clr – .NET ~v4.0 - 4.0.30319
  11. 11. Packer – next layer loading next hint (AV): Loaded MZ is kept in memory – it can be monitored: • New-allocated memory region • Mapped, RW • MZ at the begin Probably it is executable loaded with a call to Assembly.Load() 
  12. 12. User strings 72 01 00 00 70 token UserString position in #US stream opcode #US (UserString stream):
  13. 13. User strings - obfuscation • Every ldstr opcode is changed into call to decrypt method. • Crypted strings are kept in:  Manifest resources  Static data fields  #US stream (crypted) What do the packers do?
  14. 14. User strings - obfuscation DecryptString methods are similar – they use: o !bpmd mscorlib.dll System.String.CreateStringFromEncoding (confusers, eziriz, smartAssembly, cryptoobfuscator, codewall) o !bpmd mscorlib.dll System.String.Intern (yano, babel) o !bpmd mscorlib.dll System.Text.StringBuilder.ToString * (deepsee) * used also by runtime !bpmd – (sos.dll) breakpoint for NGENed method Ngen.exe - The Native Image Generator
  15. 15. User strings - obfuscation Classic strings (ldstr opcode) • bp mscorwks!GlobalStringLiteralMap::GetStringLiteral bp clr!StringLiteralMap::GetStringLiteral
  16. 16. API – in CIL code Obfuscation: • Hide CIL code  Restore with Module::.cctor()  Restore with CompileMethod() hook • Flow obfuscation  Confuse decompilation and byte patterns
  17. 17. RE: Object-oriented file format Source code (C#) Compiler CIL (Common Intermediate Language) Native code JIT (Just- in-time) Compilation Execution The first execution of particular method Executable MZ... The CIL is crypted in executable The code must be ready for JIT
  18. 18. API – in CIL code Hide CIL code - solution – catching API during JIT resolving bp mscorwks!MethodTable::MapMethodDeclToMethodImpl "!dumpmd dwo (esp+4)" bp clr!MethodTable::MapMethodDeclToMethodImpl "!dumpmd ecx" sos.dll
  19. 19. How to use it? • Windbg scripts https://bitbucket.org/marcin_hartung/vb_unpackyourtroubles • VB whitepaper
  20. 20. How to use it? • Next work – standalone analyser (with hooking) • Internal runtime methods – hook by byte patterns • !bpmd problem – NGENed functions (undocumented, complicated) • !dumpmd problem – Method Descriptor object must be parsed
  21. 21. References • CFF explorer • ILSpy • Msdn • .NET sources More in the whitepaper...
  22. 22. Thanks!

×