Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
UNPACK YOUR TROUBLES:
.NET PACKER TRICKS AND
COUNTERMEASURES
Marcin Hartung
ESET, Poland
UNPACK YOUR TROUBLES:
.NET PACKER TRICKS AND COUNTERMEASURES
Marcin Hartung
hartung@eset.pl
Eset Poland
At Eset: programme...
Outline
• Object-oriented file format
• .NET analysing
• LoadAssembly
• UserString
• API
Object-oriented file format
Source code
(C#)
Compiler
CIL
(Common Intermediate
Language)
Native code
JIT (Just-
in-time)
C...
Object-oriented file format
Program structure is kept in executable:
• Object (classes, methods, fields) in tables
• Refer...
Object-oriented file format
Program structure is kept in executable:
• Object (classes, methods, fields) in tables
• Refer...
Analysing .NET samples
• Static analysis (decompilers)
good for non-protected samples,
bad (or imposible) for obfuscation
...
Analysing .NET samples
• Debugging
symbols, runtime sources
winDbg + sos.dll plugin (!bpmd, !dumpmd)
• Other
emulating, pr...
Packer – next layer loading
• Like old-fashioned native packer - decrypt & execute next layer
• .NET has special API – Ass...
Packer – next layer loading
Assembly.Load() – solution – catching next layer MZ during loading
bp mscorwks!CLRMapViewOfFil...
Packer – next layer loading
next hint (AV):
Loaded MZ is kept in memory – it can be monitored:
• New-allocated memory regi...
User strings
72 01 00 00 70 token
UserString
position in #US stream
opcode
#US (UserString stream):
User strings - obfuscation
• Every ldstr opcode is changed into call to decrypt method.
• Crypted strings are kept in:
 M...
User strings - obfuscation
DecryptString methods are similar – they use:
o !bpmd mscorlib.dll System.String.CreateStringFr...
User strings - obfuscation
Classic strings (ldstr opcode)
• bp mscorwks!GlobalStringLiteralMap::GetStringLiteral 
bp clr!S...
API – in CIL code
Obfuscation:
• Hide CIL code
 Restore with Module::.cctor()
 Restore with CompileMethod() hook
• Flow ...
RE: Object-oriented file format
Source code
(C#)
Compiler
CIL
(Common Intermediate
Language)
Native code
JIT (Just-
in-tim...
API – in CIL code
Hide CIL code - solution – catching API during JIT resolving
bp mscorwks!MethodTable::MapMethodDeclToMet...
How to use it?
• Windbg scripts
https://bitbucket.org/marcin_hartung/vb_unpackyourtroubles
• VB whitepaper
How to use it?
• Next work – standalone analyser (with hooking)
• Internal runtime methods – hook by byte patterns
• !bpmd...
References
• CFF explorer
• ILSpy
• Msdn
• .NET sources
More in the whitepaper...
Thanks!
Upcoming SlideShare
Loading in …5
×

Unpack your troubles*: .NET packer tricks and countermeasures

6,794 views

Published on

Nowadays, .NET samples are increasingly common, necessitating specialized techniques for processing and analysis, especially when obfuscation is used: .NET packers have many tricks up their sleeves, but fortunately we do too.

*https://en.wikipedia.org/wiki/Pack_Up_Your_Troubles_in_Your_Old_Kit-Bag

Unpack your troubles*: .NET packer tricks and countermeasures

  1. 1. UNPACK YOUR TROUBLES: .NET PACKER TRICKS AND COUNTERMEASURES Marcin Hartung ESET, Poland
  2. 2. UNPACK YOUR TROUBLES: .NET PACKER TRICKS AND COUNTERMEASURES Marcin Hartung hartung@eset.pl Eset Poland At Eset: programmer in the Software Protectors Analysis & Unpacking Team Other: motorbiker, mountain hiker, climber
  3. 3. Outline • Object-oriented file format • .NET analysing • LoadAssembly • UserString • API
  4. 4. Object-oriented file format Source code (C#) Compiler CIL (Common Intermediate Language) Native code JIT (Just- in-time) Compilation Execution The first execution of particular method Executable MZ...
  5. 5. Object-oriented file format Program structure is kept in executable: • Object (classes, methods, fields) in tables • Referenced with tokens in CIL • User method names
  6. 6. Object-oriented file format Program structure is kept in executable: • Object (classes, methods, fields) in tables • Referenced with tokens in CIL • User method names 6F 04 00 00 06 token MethodDef table 4th entry in the table opcode
  7. 7. Analysing .NET samples • Static analysis (decompilers) good for non-protected samples, bad (or imposible) for obfuscation • Deobfuscators support for every new version problem with patched or custom packers
  8. 8. Analysing .NET samples • Debugging symbols, runtime sources winDbg + sos.dll plugin (!bpmd, !dumpmd) • Other emulating, profiling, ...
  9. 9. Packer – next layer loading • Like old-fashioned native packer - decrypt & execute next layer • .NET has special API – Assembly.Load() (some packers, bladabindi malware family, ...) wikipedia.org
  10. 10. Packer – next layer loading Assembly.Load() – solution – catching next layer MZ during loading bp mscorwks!CLRMapViewOfFileEx + 0x26 "da eax" / bp clr!AssemblyNative::LoadFromBuffer "dd (edx - 4) l1; da edx" mscorwks – .NET ~v2.0 - 2.0.50727 clr – .NET ~v4.0 - 4.0.30319
  11. 11. Packer – next layer loading next hint (AV): Loaded MZ is kept in memory – it can be monitored: • New-allocated memory region • Mapped, RW • MZ at the begin Probably it is executable loaded with a call to Assembly.Load() 
  12. 12. User strings 72 01 00 00 70 token UserString position in #US stream opcode #US (UserString stream):
  13. 13. User strings - obfuscation • Every ldstr opcode is changed into call to decrypt method. • Crypted strings are kept in:  Manifest resources  Static data fields  #US stream (crypted) What do the packers do?
  14. 14. User strings - obfuscation DecryptString methods are similar – they use: o !bpmd mscorlib.dll System.String.CreateStringFromEncoding (confusers, eziriz, smartAssembly, cryptoobfuscator, codewall) o !bpmd mscorlib.dll System.String.Intern (yano, babel) o !bpmd mscorlib.dll System.Text.StringBuilder.ToString * (deepsee) * used also by runtime !bpmd – (sos.dll) breakpoint for NGENed method Ngen.exe - The Native Image Generator
  15. 15. User strings - obfuscation Classic strings (ldstr opcode) • bp mscorwks!GlobalStringLiteralMap::GetStringLiteral bp clr!StringLiteralMap::GetStringLiteral
  16. 16. API – in CIL code Obfuscation: • Hide CIL code  Restore with Module::.cctor()  Restore with CompileMethod() hook • Flow obfuscation  Confuse decompilation and byte patterns
  17. 17. RE: Object-oriented file format Source code (C#) Compiler CIL (Common Intermediate Language) Native code JIT (Just- in-time) Compilation Execution The first execution of particular method Executable MZ... The CIL is crypted in executable The code must be ready for JIT
  18. 18. API – in CIL code Hide CIL code - solution – catching API during JIT resolving bp mscorwks!MethodTable::MapMethodDeclToMethodImpl "!dumpmd dwo (esp+4)" bp clr!MethodTable::MapMethodDeclToMethodImpl "!dumpmd ecx" sos.dll
  19. 19. How to use it? • Windbg scripts https://bitbucket.org/marcin_hartung/vb_unpackyourtroubles • VB whitepaper
  20. 20. How to use it? • Next work – standalone analyser (with hooking) • Internal runtime methods – hook by byte patterns • !bpmd problem – NGENed functions (undocumented, complicated) • !dumpmd problem – Method Descriptor object must be parsed
  21. 21. References • CFF explorer • ILSpy • Msdn • .NET sources More in the whitepaper...
  22. 22. Thanks!

×