Successfully reported this slideshow.
Your SlideShare is downloading. ×

Unpack your troubles*: .NET packer tricks and countermeasures

Sep. 30, 2015
3 likes 15,747 views
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Upcoming SlideShare
Bootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus Bulletin
Loading in …3
×

Check these out next

Malware analysis
Prakashchand Suthar
How Safe is your Link ?
Peter Hlavaty
BPotter-L1-05
webuploader
I Know You Want Me - Unplugging PlugX
Takahiro Haruyama
Memory Forensic - Investigating Memory Artefact
Satria Ady Pradana
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
Takahiro Haruyama
Injection on Steroids: Codeless code injection and 0-day techniques
enSilo
Windows Memory Forensic Analysis using EnCase
Takahiro Haruyama
1 of 22 Ad

Unpack your troubles*: .NET packer tricks and countermeasures

Sep. 30, 2015
3 likes 15,747 views
Presentations & Public Speaking

Nowadays, .NET samples are increasingly common, necessitating specialized techniques for processing and analysis, especially when obfuscation is used: .NET packers have many tricks up their sleeves, but fortunately we do too.

*https://en.wikipedia.org/wiki/Pack_Up_Your_Troubles_in_Your_Old_Kit-Bag

Nowadays, .NET samples are increasingly common, necessitating specialized techniques for processing and analysis, especially when obfuscation is used: .NET packers have many tricks up their sleeves, but fortunately we do too.

*https://en.wikipedia.org/wiki/Pack_Up_Your_Troubles_in_Your_Old_Kit-Bag

Presentations & Public Speaking
License: CC Attribution-ShareAlike License
Advertisement

Recommended

Bootkits: Past, Present & Future - Virus Bulletin
ESET
16.1k views
44 slides
Is Linux/Moose endangered or extinct?
ESET
15.9k views
55 slides
Basic Malware Analysis
Albert Hui
4.3k views
20 slides
Malware analysis using volatility
Yashashree Gund
8.1k views
17 slides
Next Generation Memory Forensics
Andrew Case
2k views
41 slides
One-Byte Modification for Breaking Memory Forensic Analysis
Takahiro Haruyama
3.9k views
61 slides
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
enSilo
4k views
57 slides
Malicious File for Exploiting Forensic Software
Takahiro Haruyama
15.5k views
29 slides
Advertisement

More Related Content

Slideshows for you (20)

Malware analysis
Prakashchand Suthar
2.8k views
How Safe is your Link ?
Peter Hlavaty
1.2k views
BPotter-L1-05
webuploader
594 views
I Know You Want Me - Unplugging PlugX
Takahiro Haruyama
6.6k views
Memory Forensic - Investigating Memory Artefact
Satria Ady Pradana
1.6k views
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
Takahiro Haruyama
2.9k views
Injection on Steroids: Codeless code injection and 0-day techniques
enSilo
29.4k views
Windows Memory Forensic Analysis using EnCase
Takahiro Haruyama
19k views
Fighting Malware Without Antivirus
EnergySec
1.9k views
Hacking - high school intro
Peter Hlavaty
1.3k views
BlueHat v18 || Linear time shellcode detection using state machines and opera...
BlueHat Security Conference
585 views
Code Injection in Windows
n|u - The Open Security Community
4.1k views
Memory Analysis of the Dalvik (Android) Virtual Machine
Andrew Case
2.9k views
openioc_scan - IOC scanner for memory forensics
Takahiro Haruyama
5.4k views
Winnti Polymorphism
Takahiro Haruyama
1.1k views
Ice Age melting down: Intel features considered usefull!
Peter Hlavaty
590 views
Practical Malware Analysis Ch12
Sam Bowne
1.2k views
Two-For-One Talk: Malware Analysis for Everyone
Paul Melson
1.8k views
Process injection - Malware style
Sander Demeester
9.4k views
Software Security : From school to reality and back!
Peter Hlavaty
1.6k views
Malware analysis
Prakashchand Suthar
2.8k views
39 slides
How Safe is your Link ?
Peter Hlavaty
1.2k views
37 slides
BPotter-L1-05
webuploader
594 views
26 slides
I Know You Want Me - Unplugging PlugX
Takahiro Haruyama
6.6k views
185 slides
Memory Forensic - Investigating Memory Artefact
Satria Ady Pradana
1.6k views
30 slides
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
Takahiro Haruyama
2.9k views
27 slides

Similar to Unpack your troubles*: .NET packer tricks and countermeasures (20)

Sql Bits Sql Server Crash Dump Analysis
Pablo Alvarez Doval
2k views
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
midnite_runr
8.7k views
Runtime Environment Of .Net Divya Rathore
Esha Yadav
484 views
Typhoon Managed Execution Toolkit
Dimitry Snezhkov
745 views
10. .net framework overview gnanasekaran
Gnanasekaran Natarajan
286 views
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Sam Bowne
3.3k views
ASP.NET Session 2
Sisir Ghosh
775 views
Intro to .NET and Core C#
Jussi Pohjolainen
1.5k views
Formbook - In-depth malware analysis (Botconf 2018)
Rémi Jullian
3.7k views
Introduction to Malware Analysis
Andrew McNicol
8.2k views
02 direct3 d_pipeline
Girish Ghate
1.9k views
Week1 Electronic System-level ESL Design and SystemC Begin
敬倫 林
2.6k views
Dmitriy D1g1 Evdokimov - DBI Intro
DefconRussia
909 views
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
Codemotion
1.1k views
C101 – Intro to Programming with C
gpsoft_sk
1.6k views
嵌入式Linux課程-GNU Toolchain
艾鍗科技
2.4k views
Webinar alain-2009-03-04-clamav
thc2cat
724 views
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
CODE BLUE
991 views
Metaprogramming by brandon
MaslowB
319 views
Introduction to .NET
Joni
96 views
Sql Bits Sql Server Crash Dump Analysis
Pablo Alvarez Doval
2k views
33 slides
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
midnite_runr
8.7k views
72 slides
Runtime Environment Of .Net Divya Rathore
Esha Yadav
484 views
45 slides
Typhoon Managed Execution Toolkit
Dimitry Snezhkov
745 views
78 slides
10. .net framework overview gnanasekaran
Gnanasekaran Natarajan
286 views
49 slides
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Sam Bowne
3.3k views
93 slides
Advertisement

More from ESET (20)

ESET Cybersecurity students
ESET
4.4k views
ESET Cybersecurity training
ESET
2.3k views
How to implement a robust information security management system?
ESET
9.5k views
#AntimalwareDay: The ESET Celebration of the Origins of Computer Defense in N...
ESET
2.6k views
Visiting the Bear Den
ESET
17.2k views
AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its...
ESET
16.1k views
ESET Quick Guide to the EU General Data Protection Regulation
ESET
1.9k views
Operation Buhtrap - AVAR 2015
ESET
15.7k views
Advanced Persistent Threats
ESET
2.1k views
Shopping Online
ESET
3.9k views
Banking Online
ESET
2.6k views
Is Anti-Virus Dead?
ESET
873 views
ESET: #DoMore With Our Comprehensive Range of Business Products
ESET
2.7k views
ESET: Delivering Benefits to Enterprises
ESET
943 views
ESET: Delivering Benefits to Medium and Large Businesses
ESET
832 views
#DoMore with ESET
ESET
993 views
2014: Mid-Year Threat Review
ESET
2.2k views
Learn more about ESET and our soulutions for mobile platforms
ESET
893 views
Trends for 2014: The Challenge of Internet Privacy
ESET
1.1k views
ESET Technology From
ESET
758 views
ESET Cybersecurity students
ESET
4.4k views
5 slides
ESET Cybersecurity training
ESET
2.3k views
5 slides
How to implement a robust information security management system?
ESET
9.5k views
1 slide
#AntimalwareDay: The ESET Celebration of the Origins of Computer Defense in N...
ESET
2.6k views
1 slide
Visiting the Bear Den
ESET
17.2k views
229 slides
AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its...
ESET
16.1k views
27 slides

Recently uploaded (20)

How to be good learner.pptx
DevangSPSingh
5 views
lesson-7-revival,-reformation,-and-evangelism.ppt
BrodrickBourne1
1 view
Cognitive Radio IT Powerpoint Presentation Slides
SlideTeam
7 views
Short Story.ppt
ayu dharma
0 views
CHAPTER 1C SENSES OF THE SELF.pptx
ChristianneVentura
0 views
Nurnberg - Kai Stenberg - Teams voice Past, present and future - 2023.pptx
Kai Stenberg
16 views
Up (Disney/Pixar Up)
robertpolanco7
0 views
UKOUG2018 - I Know what you did Last Summer [in my Database].pptx
Marco Gralike
5 views
PL Message-4.pptx
FamilyWorshipCenterD
0 views
CHAPTER 4 DEONTOLOGY (Duty and Agency AND Autonomy and Universalizalibility)....
ChristianneVentura
0 views
CHAPTER 2 UTILITARIANISM.pptx
ChristianneVentura
0 views
PHLT411_2_Project Processes & Constraints_SP23.pdf
GregJohnson457152
2 views
1-The-Teaching-of-Science.pptx
ssuser315e451
3 views
Vaccine Research by Slidesgo.pptx
NarasimhaiahNarahari
0 views
SEO And Social Media Marketing Strategy For Successful Marketing Campaign Com...
SlideTeam
8 views
Census of India 2011-Houses, Household Amenities And Assets Data 2011 - Visua...
AbhijitDas359978
2 views
CHAPTER 1B SOURCES OF AUTHORITY.pptx
ChristianneVentura
0 views
A true LEADER poem.docx
EricaLumambaTabios
4 views
avalanchephotodid.pptx
sainnrg
3 views
TMTM Takeaways
PhilippSchindera
0 views
How to be good learner.pptx
DevangSPSingh
5 views
8 slides
lesson-7-revival,-reformation,-and-evangelism.ppt
BrodrickBourne1
1 view
26 slides
Cognitive Radio IT Powerpoint Presentation Slides
SlideTeam
7 views
77 slides
Short Story.ppt
ayu dharma
0 views
35 slides
CHAPTER 1C SENSES OF THE SELF.pptx
ChristianneVentura
0 views
5 slides
Nurnberg - Kai Stenberg - Teams voice Past, present and future - 2023.pptx
Kai Stenberg
16 views
25 slides
Advertisement

Unpack your troubles*: .NET packer tricks and countermeasures

  1. 1. UNPACK YOUR TROUBLES: .NET PACKER TRICKS AND COUNTERMEASURES Marcin Hartung ESET, Poland
  2. 2. UNPACK YOUR TROUBLES: .NET PACKER TRICKS AND COUNTERMEASURES Marcin Hartung hartung@eset.pl Eset Poland At Eset: programmer in the Software Protectors Analysis & Unpacking Team Other: motorbiker, mountain hiker, climber
  3. 3. Outline • Object-oriented file format • .NET analysing • LoadAssembly • UserString • API
  4. 4. Object-oriented file format Source code (C#) Compiler CIL (Common Intermediate Language) Native code JIT (Just- in-time) Compilation Execution The first execution of particular method Executable MZ...
  5. 5. Object-oriented file format Program structure is kept in executable: • Object (classes, methods, fields) in tables • Referenced with tokens in CIL • User method names
  6. 6. Object-oriented file format Program structure is kept in executable: • Object (classes, methods, fields) in tables • Referenced with tokens in CIL • User method names 6F 04 00 00 06 token MethodDef table 4th entry in the table opcode
  7. 7. Analysing .NET samples • Static analysis (decompilers) good for non-protected samples, bad (or imposible) for obfuscation • Deobfuscators support for every new version problem with patched or custom packers
  8. 8. Analysing .NET samples • Debugging symbols, runtime sources winDbg + sos.dll plugin (!bpmd, !dumpmd) • Other emulating, profiling, ...
  9. 9. Packer – next layer loading • Like old-fashioned native packer - decrypt & execute next layer • .NET has special API – Assembly.Load() (some packers, bladabindi malware family, ...) wikipedia.org
  10. 10. Packer – next layer loading Assembly.Load() – solution – catching next layer MZ during loading bp mscorwks!CLRMapViewOfFileEx + 0x26 "da eax" / bp clr!AssemblyNative::LoadFromBuffer "dd (edx - 4) l1; da edx" mscorwks – .NET ~v2.0 - 2.0.50727 clr – .NET ~v4.0 - 4.0.30319
  11. 11. Packer – next layer loading next hint (AV): Loaded MZ is kept in memory – it can be monitored: • New-allocated memory region • Mapped, RW • MZ at the begin Probably it is executable loaded with a call to Assembly.Load() 
  12. 12. User strings 72 01 00 00 70 token UserString position in #US stream opcode #US (UserString stream):
  13. 13. User strings - obfuscation • Every ldstr opcode is changed into call to decrypt method. • Crypted strings are kept in:  Manifest resources  Static data fields  #US stream (crypted) What do the packers do?
  14. 14. User strings - obfuscation DecryptString methods are similar – they use: o !bpmd mscorlib.dll System.String.CreateStringFromEncoding (confusers, eziriz, smartAssembly, cryptoobfuscator, codewall) o !bpmd mscorlib.dll System.String.Intern (yano, babel) o !bpmd mscorlib.dll System.Text.StringBuilder.ToString * (deepsee) * used also by runtime !bpmd – (sos.dll) breakpoint for NGENed method Ngen.exe - The Native Image Generator
  15. 15. User strings - obfuscation Classic strings (ldstr opcode) • bp mscorwks!GlobalStringLiteralMap::GetStringLiteral bp clr!StringLiteralMap::GetStringLiteral
  16. 16. API – in CIL code Obfuscation: • Hide CIL code  Restore with Module::.cctor()  Restore with CompileMethod() hook • Flow obfuscation  Confuse decompilation and byte patterns
  17. 17. RE: Object-oriented file format Source code (C#) Compiler CIL (Common Intermediate Language) Native code JIT (Just- in-time) Compilation Execution The first execution of particular method Executable MZ... The CIL is crypted in executable The code must be ready for JIT
  18. 18. API – in CIL code Hide CIL code - solution – catching API during JIT resolving bp mscorwks!MethodTable::MapMethodDeclToMethodImpl "!dumpmd dwo (esp+4)" bp clr!MethodTable::MapMethodDeclToMethodImpl "!dumpmd ecx" sos.dll
  19. 19. How to use it? • Windbg scripts https://bitbucket.org/marcin_hartung/vb_unpackyourtroubles • VB whitepaper
  20. 20. How to use it? • Next work – standalone analyser (with hooking) • Internal runtime methods – hook by byte patterns • !bpmd problem – NGENed functions (undocumented, complicated) • !dumpmd problem – Method Descriptor object must be parsed
  21. 21. References • CFF explorer • ILSpy • Msdn • .NET sources More in the whitepaper...
  22. 22. Thanks!

×