Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Itself Through Education
AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Itself Through Education
Loading in …3
×
1 of 22

Unpack your troubles*: .NET packer tricks and countermeasures

Sep. 30, 2015
3 likes 14,891 views

3

Share

Presentations & Public Speaking

Nowadays, .NET samples are increasingly common, necessitating specialized techniques for processing and analysis, especially when obfuscation is used: .NET packers have many tricks up their sleeves, but fortunately we do too.

*https://en.wikipedia.org/wiki/Pack_Up_Your_Troubles_in_Your_Old_Kit-Bag

License: CC Attribution-ShareAlike License

Recommended

Related Books

Free with a 30 day trial from Scribd

See all
Building a StoryBrand: Clarify Your Message So Customers Will Listen Donald Miller
(4.5/5)
Free
The $12 Million Stuffed Shark: The Curious Economics of Contemporary Art Don Thompson
(3.5/5)
Free
Pogue's Basics: Money: Essential Tips and Shortcuts (That No One Bothers to Tell You) About Beating the System David Pogue
(4/5)
Free
Influencer: Building Your Personal Brand in the Age of Social Media Brittany Hennessy
(3.5/5)
Free
Marketing Made Simple: A Step-by-Step StoryBrand Guide for Any Business Donald Miller
(5/5)
Free
Secondhand: Travels in the New Global Garage Sale Adam Minter
(4/5)
Free
The Psychology of Selling: Increase Your Sales Faster and Easier Than You Ever Thought Possible Brian Tracy
(4.5/5)
Free
The 22 Immutable Laws of Marketing: Exposed and Explained by the World's Two Al Ries
(4.5/5)
Free
Ogilvy on Advertising in the Digital Age Miles Young
(5/5)
Free
Get Clients Now! (TM): A 28-Day Marketing Program for Professionals, Consultants, and Coaches C. Hayden
(0/5)
Free
Phishing for Phools: The Economics of Manipulation and Deception George A. Akerlof
(3.5/5)
Free
Propaganda Edward Bernays
(0/5)
Free
The Conquest of Cool: Business Culture, Counterculture, and the Rise of Hip Consumerism Thomas Frank
(4.5/5)
Free
Priceless: The Myth of Fair Value (and How to Take Advantage of It) William Poundstone
(4.5/5)
Free
Stories That Stick: How Storytelling Can Captivate Customers, Influence Audiences, and Transform Your Business Kindra Hall
(5/5)
Free
Seducing Strangers: How to Get People to Buy What You're Selling (The Little Black Book of Advertising Secrets) Josh Weltman
(4/5)
Free

Related Audiobooks

Free with a 30 day trial from Scribd

See all
Unleashing the Idea Virus Seth Godin
(4.5/5)
Free
Contagious: Why Things Catch On Jonah Berger
(4.5/5)
Free
Wanting: The Power of Mimetic Desire in Everyday Life Luke Burgis
(4.5/5)
Free
Alchemy: The Dark Art and Curious Science of Creating Magic in Brands, Business, and Life Rory Sutherland
(4.5/5)
Free
Crossing the Chasm: Marketing and Selling Technology Projects to Mainstream Customers Geoffrey A. Moore
(4.5/5)
Free
Yes!: 50 Scientifically Proven Ways to Be Persuasive Noah J. Goldstein
(4.5/5)
Free
Building a StoryBrand: Clarify Your Message So Customers Will Listen Findaway
(5/5)
Free
Predictably Irrational: The Hidden Forces That Shape Our Decisions Dr. Dan Ariely
(4.5/5)
Free
Influence: The Psychology of Persuasion Robert B. Cialdini, PhD
(4.5/5)
Free
Permission Marketing: Turning Strangers into Friends, and Friends into Customers Seth Godin
(4.5/5)
Free
Influence, New and Expanded: The Psychology of Persuasion Robert B. Cialdini
(4.5/5)
Free
22 Immutable Laws of Branding Al Ries
(4.5/5)
Free
Overdressed: The Shockingly High Cost of Cheap Fashion Elizabeth L. Cline
(4.5/5)
Free
Inside the Tornado Geoffrey A. Moore
(4/5)
Free
The 22 Immutable Laws of Marketing Al Ries
(4.5/5)
Free
The Consuming Instinct: What Juicy Burgers, Ferraris, Pornography, and Gift Giving Reveal About Human Nature Gad Saad
(4.5/5)
Free

Unpack your troubles*: .NET packer tricks and countermeasures

  1. 1. UNPACK YOUR TROUBLES: .NET PACKER TRICKS AND COUNTERMEASURES Marcin Hartung ESET, Poland
  2. 2. UNPACK YOUR TROUBLES: .NET PACKER TRICKS AND COUNTERMEASURES Marcin Hartung hartung@eset.pl Eset Poland At Eset: programmer in the Software Protectors Analysis & Unpacking Team Other: motorbiker, mountain hiker, climber
  3. 3. Outline • Object-oriented file format • .NET analysing • LoadAssembly • UserString • API
  4. 4. Object-oriented file format Source code (C#) Compiler CIL (Common Intermediate Language) Native code JIT (Just- in-time) Compilation Execution The first execution of particular method Executable MZ...
  5. 5. Object-oriented file format Program structure is kept in executable: • Object (classes, methods, fields) in tables • Referenced with tokens in CIL • User method names
  6. 6. Object-oriented file format Program structure is kept in executable: • Object (classes, methods, fields) in tables • Referenced with tokens in CIL • User method names 6F 04 00 00 06 token MethodDef table 4th entry in the table opcode
  7. 7. Analysing .NET samples • Static analysis (decompilers) good for non-protected samples, bad (or imposible) for obfuscation • Deobfuscators support for every new version problem with patched or custom packers
  8. 8. Analysing .NET samples • Debugging symbols, runtime sources winDbg + sos.dll plugin (!bpmd, !dumpmd) • Other emulating, profiling, ...
  9. 9. Packer – next layer loading • Like old-fashioned native packer - decrypt & execute next layer • .NET has special API – Assembly.Load() (some packers, bladabindi malware family, ...) wikipedia.org
  10. 10. Packer – next layer loading Assembly.Load() – solution – catching next layer MZ during loading bp mscorwks!CLRMapViewOfFileEx + 0x26 "da eax" / bp clr!AssemblyNative::LoadFromBuffer "dd (edx - 4) l1; da edx" mscorwks – .NET ~v2.0 - 2.0.50727 clr – .NET ~v4.0 - 4.0.30319
  11. 11. Packer – next layer loading next hint (AV): Loaded MZ is kept in memory – it can be monitored: • New-allocated memory region • Mapped, RW • MZ at the begin Probably it is executable loaded with a call to Assembly.Load() 
  12. 12. User strings 72 01 00 00 70 token UserString position in #US stream opcode #US (UserString stream):
  13. 13. User strings - obfuscation • Every ldstr opcode is changed into call to decrypt method. • Crypted strings are kept in:  Manifest resources  Static data fields  #US stream (crypted) What do the packers do?
  14. 14. User strings - obfuscation DecryptString methods are similar – they use: o !bpmd mscorlib.dll System.String.CreateStringFromEncoding (confusers, eziriz, smartAssembly, cryptoobfuscator, codewall) o !bpmd mscorlib.dll System.String.Intern (yano, babel) o !bpmd mscorlib.dll System.Text.StringBuilder.ToString * (deepsee) * used also by runtime !bpmd – (sos.dll) breakpoint for NGENed method Ngen.exe - The Native Image Generator
  15. 15. User strings - obfuscation Classic strings (ldstr opcode) • bp mscorwks!GlobalStringLiteralMap::GetStringLiteral bp clr!StringLiteralMap::GetStringLiteral
  16. 16. API – in CIL code Obfuscation: • Hide CIL code  Restore with Module::.cctor()  Restore with CompileMethod() hook • Flow obfuscation  Confuse decompilation and byte patterns
  17. 17. RE: Object-oriented file format Source code (C#) Compiler CIL (Common Intermediate Language) Native code JIT (Just- in-time) Compilation Execution The first execution of particular method Executable MZ... The CIL is crypted in executable The code must be ready for JIT
  18. 18. API – in CIL code Hide CIL code - solution – catching API during JIT resolving bp mscorwks!MethodTable::MapMethodDeclToMethodImpl "!dumpmd dwo (esp+4)" bp clr!MethodTable::MapMethodDeclToMethodImpl "!dumpmd ecx" sos.dll
  19. 19. How to use it? • Windbg scripts https://bitbucket.org/marcin_hartung/vb_unpackyourtroubles • VB whitepaper
  20. 20. How to use it? • Next work – standalone analyser (with hooking) • Internal runtime methods – hook by byte patterns • !bpmd problem – NGENed functions (undocumented, complicated) • !dumpmd problem – Method Descriptor object must be parsed
  21. 21. References • CFF explorer • ILSpy • Msdn • .NET sources More in the whitepaper...
  22. 22. Thanks!

×