.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019Alexandre Borges
.NET malware is well-known by security analysts, but even existing many tools such as dnSpy,.NET Reflector, de4dot and so on to make the analysis easier, most professionals have used them as a black box tool, without concerning to .NET internals, structures, MSIL coding and details. In critical cases, it is necessary have enough knowledge about internal mechanisms and to debug these .NET threats using WinDbg.
Unfortunately, .NET malware samples have become very challenger because it is so complicated to deobfuscated associated resources, as unpacking and dumping them from memory. Furthermore, most GUI debugging tools does an inside view of mechanisms such as CRL Loader, Managed Heap, Synchronization issues and Garbage Collection.
In the other side, .NET malware threats are incredibly interesting when analyzed from the MSIL instruction code, which allows to see code injections using .MSIL and attempts to compromise .NET Runtime keep being a real concern.
The purpose of this presentation is to help professionals to understand .NET malware threats and techniques by explaining concepts about .NET internals, mechanisms and few reversing techniques.
IDA Vulnerabilities and Bug Bounty by Masaaki ChidaCODE BLUE
IDA Pro is an advanced disassembler software and often used in vulnerability research and malware analysis. IDA Pro is used to analyse software behavior in detail, if there was a vulnerability and the user is attacked not only can it have impact in a social sense but also impact legal proceedings. In this presentation I will discuss the vulnerabilities found and attacks leveraging the vulnerabilities and Hex-rays's remediation process and dialogue I had with them.
http://codeblue.jp/en-speaker.html#MasaakiChida
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019Alexandre Borges
.NET malware is well-known by security analysts, but even existing many tools such as dnSpy,.NET Reflector, de4dot and so on to make the analysis easier, most professionals have used them as a black box tool, without concerning to .NET internals, structures, MSIL coding and details. In critical cases, it is necessary have enough knowledge about internal mechanisms and to debug these .NET threats using WinDbg.
Unfortunately, .NET malware samples have become very challenger because it is so complicated to deobfuscated associated resources, as unpacking and dumping them from memory. Furthermore, most GUI debugging tools does an inside view of mechanisms such as CRL Loader, Managed Heap, Synchronization issues and Garbage Collection.
In the other side, .NET malware threats are incredibly interesting when analyzed from the MSIL instruction code, which allows to see code injections using .MSIL and attempts to compromise .NET Runtime keep being a real concern.
The purpose of this presentation is to help professionals to understand .NET malware threats and techniques by explaining concepts about .NET internals, mechanisms and few reversing techniques.
IDA Vulnerabilities and Bug Bounty by Masaaki ChidaCODE BLUE
IDA Pro is an advanced disassembler software and often used in vulnerability research and malware analysis. IDA Pro is used to analyse software behavior in detail, if there was a vulnerability and the user is attacked not only can it have impact in a social sense but also impact legal proceedings. In this presentation I will discuss the vulnerabilities found and attacks leveraging the vulnerabilities and Hex-rays's remediation process and dialogue I had with them.
http://codeblue.jp/en-speaker.html#MasaakiChida
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
Android Reverse Engineering by Samrat Das
Abstract
• Intro to Reverse Engineering
• Short walkthough with Windows RE
• Introduction to Mobile Security Assessments
• Dalvik Virtual Machine vs JVM
• APK Walkthrough
• Components of Android
• Steps of Reverse Engineering Android Applications
• Hands-on demos on manual reversing of android apps
• Introduction to APPuse VM for droid assessments
• Detecting developer backdoors
• Creating Infected Android Applications
• Anti-Reversing | Obfuscation
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...CODE BLUE
Adobe Reader’s JavaScript APIs offer a rich set of functionality for document authors. These APIs allow for processing forms, controlling multimedia events, and communicating with databases, all of which provide end-users the ability to create complex documents. This complexity provides a perfect avenue for attackers to take advantage of weaknesses that exist in Reader’s JavaScript APIs.
In this talk, we will provide insight into both the documented and undocumented APIs available in Adobe Reader. Several code auditing techniques will be shared to aid in vulnerability discovery, along with numerous proofs-of-concept which highlight real-world examples. We’ll detail out how to chain several unique issues to obtain execution in a privileged context. Finally, we’ll describe how to construct an exploit that achieves remote code execution without the need for memory corruption.
Malicious software, or malware in short, pose a serious threat to and can severely damage computer systems. A prime example of this was a ransomware that widely exploited a number of systems recently. Ransomware is a dangerous malware, which is used for extorting money and ransom from victims, failing which they could lose their data forever. In this paper, we used statistical analysis of Application Programming Interfaces (API) functions calls in order to detect ransomware adequately. First, we imported API functions calls for numerous ransomware and benign software applications samples, and saved them as strings in strings files. Subsequently, the imported API functions calls were counted and tabulated to generate a dataset. Then, we applied Chi-Square, Paired Sample t-test, and Correlation statistical analysis to our generated dataset. Our statistical analysis was able to detect ransomware effectively with almost 95% accuracy. In addition, we determined the relationship between each pair.
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...CODE BLUE
The activities of the Lazarus group have not been focused on in Japan. However, in our recent incident response efforts, more and more domestic organizations have become targets of the Lazarus Group.
This presentation will explain in detail the cases where Japanese organizations were targeted by the Lazarus group.
The presentation will begin with an overview of the Lazarus group's attack campaigns, linking the attack operations we describe to other publicly available information. Then, we will focus on two of the Lazarus campaigns confirmed in Japan in 2020, and introduce the latest TTPs, including the characteristics of the malware and the tools used in the attacks.
The first one, Operation Dream Job, is an attack campaign targeting the defense industry, and attacks have been confirmed worldwide. A number of malware have been confirmed to have been used in this attack campaign, and the details of these will be explained. We will also introduce the tools and techniques used by the attackers in the network, and organize the TTP in ATT&CK.
The second attack, Operation JTrack, was an attack campaign targeting Japanese organizations, and multiple organizations were targeted. The second attack campaign, Operation JTrack, targeted multiple organizations in Japan. Several malware and tools were also used in this attack campaign, which will be explained in detail.
Finally, the TTPs of the two attack campaigns presented will be compared to show the information that can be used for countermeasures.<br>Throughout this presentation, the Lazarus group Through this presentation, you will be able to understand the latest TTPs of the Lazarus group and use them to take action in the future.
Presentation talks about different techniques to achieve persistence in Windows environment as well as how it could be detected. Talk was delivered @Null Bangalore chapter on 15th February 2019.
.Net Hijacking to Defend PowerShell BSidesSF2017 Amanda Rousseau
With the rise of attacks implementing PowerShell in the recent months, there hasn’t been a solid solution for monitoring or prevention. Currently Microsoft released the AMSI solution for PowerShell v5 however this can also be bypassed. This talk will focus on utilizing various stealthy runtime .NET hijacking techniques implemented for blue teamer defenses for PowerShell attacks. The paper will start with a light intro into .NET and PowerShell, then a deeper explanation of various attacker techniques which will be explained in the perspective of the blue teamer. Techniques include assembly modification, class and method injection, compiler profiling, and C based function hooking.
2019: A Local Hacking Odyssey - MITM attack against password manager @ BSides...Soya Aoyama
How many sites do you use? Is the password long enough and secure? Do not tell me you reused it. Unfortunately, we have not a memory good enough to remember so many passwords long and secure. For this reason, there are several companies providing password management applications. However, are they really secure?
I have executed a man-in-the-middle attack against a certain password management application. Surprisingly, the password was exchanged in plain text between .exe and .dll, and it was very easy to steal it. The program I created is generic and, under certain conditions, can steal information between all .exe and .dll in Windows. In this talk, I will demonstrate the actual attack, and provide technical explanations to enable this attack. And finally, I suggest ways to protect other apps from this attack.
Open source security tools for Kubernetes.Michael Ducy
Cloud Native platforms such as Kubernetes help developers to easily get started deploying and running their applications at scale. But as this access to compute starts to become ubiquitous, how you secure and maintain compliance standards in these environments becomes extremely important.
In this talk, we'll cover the basics of securing Cloud Native platforms such as Kubernetes. We will also cover open source tools - such as Clair, Anchore, and Sysdig Falco - that can be used to maintain a secure computing environment. Attendees will walk away with a good understanding of the challenges of securing a Cloud Native platform and practical advice on using open source tools as part of their security strategy.
ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)Alexandre Borges
Malware threats have been impacting the way that companies make and protect their business. In general, most of companies have bought several different products to compose their infrastructure and defense line, but they are only efficient against known and simple threats. Curiously, most infections start through simple vector such as a malicious document or a simple fishing. However, the problem is another one: what kind of malware a simple dropper can download in the system? Most ring 3 threats are visible, but some of them are not. Additionally, ring 0 threats are usually very dangerous because they work under the radar, compromising deeply the system and bypassing my protection. Worse, they can make the monitoring tools useless and open the way to advanced threats like BIOS/UEFI malware. What kind of techniques are used by these threats? What protections do we have? This presentation aims to show and explain some techniques used by malware advanced threats and protections against them.
MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)Alexandre Borges
Modern advanced malware samples are used to infect countries and they make part of the current cyber war, cyber espionage and financial attacks. Furthermore, critical actors, who write these malicious codes, try to make the static and dynamic analysis really hard by heavily obfuscating and, eventually, virtualizing codes using techniques such as CFG, call stack manipulation, dead code, opaque predicate and so on. Understanding these concepts and how they are used with virtualized packers is an advantage to learn the main anti-reversing techniques.
Therefore, to manage complex scenarios as exposed above, we are able to use frameworks such as METASM, MIASM and several dynamic static emulation techniques to make code simpler. At end, the goal is to reduce the code (most of time by using symbolic analysis), making us able to get a better understanding about the threat. Additionally, the introduction of dynamic tracing (DTrace) on Windows can help us to having a better understanding about programs and their behavior.
This presentation aims to show concepts and a practical approach on how to handle these reverse engineering challenges and techniques
Modern advanced malware samples are used to infect countries and they make part of the current cyber war, cyber espionage and financial attacks. Furthermore, critical actors, who write these malicious codes, try to make the static and dynamic analysis really hard by heavily virtualize and obfuscate codes using techniques such as CFG, virtualization, call stack manipulation, dead code, opaque predicate and so on. Therefore, to manage complex sceneries as exposed above, we are able to use tools such as METASM, MIASM and several emulation techniques to make code simpler. At end, the goal is to reduce the code (most of time by using symbolic analysis), making us able to get a better understanding about the threat. This presentation aims to show concepts and a practical approach on how to handle these reverse engineering problems.
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
Android Reverse Engineering by Samrat Das
Abstract
• Intro to Reverse Engineering
• Short walkthough with Windows RE
• Introduction to Mobile Security Assessments
• Dalvik Virtual Machine vs JVM
• APK Walkthrough
• Components of Android
• Steps of Reverse Engineering Android Applications
• Hands-on demos on manual reversing of android apps
• Introduction to APPuse VM for droid assessments
• Detecting developer backdoors
• Creating Infected Android Applications
• Anti-Reversing | Obfuscation
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...CODE BLUE
Adobe Reader’s JavaScript APIs offer a rich set of functionality for document authors. These APIs allow for processing forms, controlling multimedia events, and communicating with databases, all of which provide end-users the ability to create complex documents. This complexity provides a perfect avenue for attackers to take advantage of weaknesses that exist in Reader’s JavaScript APIs.
In this talk, we will provide insight into both the documented and undocumented APIs available in Adobe Reader. Several code auditing techniques will be shared to aid in vulnerability discovery, along with numerous proofs-of-concept which highlight real-world examples. We’ll detail out how to chain several unique issues to obtain execution in a privileged context. Finally, we’ll describe how to construct an exploit that achieves remote code execution without the need for memory corruption.
Malicious software, or malware in short, pose a serious threat to and can severely damage computer systems. A prime example of this was a ransomware that widely exploited a number of systems recently. Ransomware is a dangerous malware, which is used for extorting money and ransom from victims, failing which they could lose their data forever. In this paper, we used statistical analysis of Application Programming Interfaces (API) functions calls in order to detect ransomware adequately. First, we imported API functions calls for numerous ransomware and benign software applications samples, and saved them as strings in strings files. Subsequently, the imported API functions calls were counted and tabulated to generate a dataset. Then, we applied Chi-Square, Paired Sample t-test, and Correlation statistical analysis to our generated dataset. Our statistical analysis was able to detect ransomware effectively with almost 95% accuracy. In addition, we determined the relationship between each pair.
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...CODE BLUE
The activities of the Lazarus group have not been focused on in Japan. However, in our recent incident response efforts, more and more domestic organizations have become targets of the Lazarus Group.
This presentation will explain in detail the cases where Japanese organizations were targeted by the Lazarus group.
The presentation will begin with an overview of the Lazarus group's attack campaigns, linking the attack operations we describe to other publicly available information. Then, we will focus on two of the Lazarus campaigns confirmed in Japan in 2020, and introduce the latest TTPs, including the characteristics of the malware and the tools used in the attacks.
The first one, Operation Dream Job, is an attack campaign targeting the defense industry, and attacks have been confirmed worldwide. A number of malware have been confirmed to have been used in this attack campaign, and the details of these will be explained. We will also introduce the tools and techniques used by the attackers in the network, and organize the TTP in ATT&CK.
The second attack, Operation JTrack, was an attack campaign targeting Japanese organizations, and multiple organizations were targeted. The second attack campaign, Operation JTrack, targeted multiple organizations in Japan. Several malware and tools were also used in this attack campaign, which will be explained in detail.
Finally, the TTPs of the two attack campaigns presented will be compared to show the information that can be used for countermeasures.<br>Throughout this presentation, the Lazarus group Through this presentation, you will be able to understand the latest TTPs of the Lazarus group and use them to take action in the future.
Presentation talks about different techniques to achieve persistence in Windows environment as well as how it could be detected. Talk was delivered @Null Bangalore chapter on 15th February 2019.
.Net Hijacking to Defend PowerShell BSidesSF2017 Amanda Rousseau
With the rise of attacks implementing PowerShell in the recent months, there hasn’t been a solid solution for monitoring or prevention. Currently Microsoft released the AMSI solution for PowerShell v5 however this can also be bypassed. This talk will focus on utilizing various stealthy runtime .NET hijacking techniques implemented for blue teamer defenses for PowerShell attacks. The paper will start with a light intro into .NET and PowerShell, then a deeper explanation of various attacker techniques which will be explained in the perspective of the blue teamer. Techniques include assembly modification, class and method injection, compiler profiling, and C based function hooking.
2019: A Local Hacking Odyssey - MITM attack against password manager @ BSides...Soya Aoyama
How many sites do you use? Is the password long enough and secure? Do not tell me you reused it. Unfortunately, we have not a memory good enough to remember so many passwords long and secure. For this reason, there are several companies providing password management applications. However, are they really secure?
I have executed a man-in-the-middle attack against a certain password management application. Surprisingly, the password was exchanged in plain text between .exe and .dll, and it was very easy to steal it. The program I created is generic and, under certain conditions, can steal information between all .exe and .dll in Windows. In this talk, I will demonstrate the actual attack, and provide technical explanations to enable this attack. And finally, I suggest ways to protect other apps from this attack.
Open source security tools for Kubernetes.Michael Ducy
Cloud Native platforms such as Kubernetes help developers to easily get started deploying and running their applications at scale. But as this access to compute starts to become ubiquitous, how you secure and maintain compliance standards in these environments becomes extremely important.
In this talk, we'll cover the basics of securing Cloud Native platforms such as Kubernetes. We will also cover open source tools - such as Clair, Anchore, and Sysdig Falco - that can be used to maintain a secure computing environment. Attendees will walk away with a good understanding of the challenges of securing a Cloud Native platform and practical advice on using open source tools as part of their security strategy.
ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)Alexandre Borges
Malware threats have been impacting the way that companies make and protect their business. In general, most of companies have bought several different products to compose their infrastructure and defense line, but they are only efficient against known and simple threats. Curiously, most infections start through simple vector such as a malicious document or a simple fishing. However, the problem is another one: what kind of malware a simple dropper can download in the system? Most ring 3 threats are visible, but some of them are not. Additionally, ring 0 threats are usually very dangerous because they work under the radar, compromising deeply the system and bypassing my protection. Worse, they can make the monitoring tools useless and open the way to advanced threats like BIOS/UEFI malware. What kind of techniques are used by these threats? What protections do we have? This presentation aims to show and explain some techniques used by malware advanced threats and protections against them.
MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)Alexandre Borges
Modern advanced malware samples are used to infect countries and they make part of the current cyber war, cyber espionage and financial attacks. Furthermore, critical actors, who write these malicious codes, try to make the static and dynamic analysis really hard by heavily obfuscating and, eventually, virtualizing codes using techniques such as CFG, call stack manipulation, dead code, opaque predicate and so on. Understanding these concepts and how they are used with virtualized packers is an advantage to learn the main anti-reversing techniques.
Therefore, to manage complex scenarios as exposed above, we are able to use frameworks such as METASM, MIASM and several dynamic static emulation techniques to make code simpler. At end, the goal is to reduce the code (most of time by using symbolic analysis), making us able to get a better understanding about the threat. Additionally, the introduction of dynamic tracing (DTrace) on Windows can help us to having a better understanding about programs and their behavior.
This presentation aims to show concepts and a practical approach on how to handle these reverse engineering challenges and techniques
Modern advanced malware samples are used to infect countries and they make part of the current cyber war, cyber espionage and financial attacks. Furthermore, critical actors, who write these malicious codes, try to make the static and dynamic analysis really hard by heavily virtualize and obfuscate codes using techniques such as CFG, virtualization, call stack manipulation, dead code, opaque predicate and so on. Therefore, to manage complex sceneries as exposed above, we are able to use tools such as METASM, MIASM and several emulation techniques to make code simpler. At end, the goal is to reduce the code (most of time by using symbolic analysis), making us able to get a better understanding about the threat. This presentation aims to show concepts and a practical approach on how to handle these reverse engineering problems.
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!Synack
DEF CON 23
Remember DLL hijacking on Windows? Well, turns out that OS X is fundamentally vulnerable to a similar attack (independent of the user's environment).
By abusing various 'features' and undocumented aspects of OS X's dynamic loader, this talk will reveal how attackers need only to plant specially-crafted dynamic libraries to have their malicious code automatically loaded into vulnerable applications. Through this attack, adversaries can perform a wide range of malicious actions, including stealthy persistence, process injection, security software circumvention, and even 'remote' infection. So come watch as applications fall, Gatekeeper crumbles (allowing downloaded unsigned code to execute), and 'hijacker malware' arises - capable of bypassing all top security and anti-virus products! And since "sharing is caring" leave with code and tools that can automatically uncover vulnerable binaries, generate compatible hijacker libraries, or detect if you've been hijacked.
Patrick Wardle is the Director of Research at Synack, where he leads cyber R&D efforts. Having worked at NASA, the NSA, and Vulnerability Research Labs (VRL), he is intimately familiar with aliens, spies, and talking nerdy. Currently, Patrick’s focus is on automated vulnerability discovery, and the emerging threats of OS X and mobile malware.
This white paper addresses the new challenges in software protection for the .NET Framework in addition to providing a variety means for protecting your applications.
A Platform for Application Risk IntelligenceCheckmarx
Using Source Code Understanding as a Risk Barometer:
Source Code Analysis technologies have significantly evolved in recent years – making improvements in precision and accuracy with the introduction of new analysis techniques like flow analysis. This article describes this evolution and how the most advanced capabilities available today like query-based analysis and Knowledge Discovery can be leveraged to create a platform for Application Risk Intelligence (ARI) to help implement a proactive security program.
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
Our technology, work processes, and activities all are depend based on Operation Systems to be safe and secure. Join us virtually for our upcoming "The Hacking Games - Operation System Vulnerabilities" Meetup to learn how hacker can compromise Operation System, bypass AntiVirus protection layer and exploiting Linux eBPF.
The purpose of this presentation is to explain the basic resources to understand how a programmer can create malware, insides about the theme, and brainstorms following practical codes and many exotic ideas for security mitigations for defense.
"If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle." ― Sun Tzu, The Art of War
Similar to DEFCON 27 - ALEXANDRE BORGES - dot net malware threats (20)
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Welocme to ViralQR, your best QR code generator.ViralQR
Welcome to ViralQR, your best QR code generator available on the market!
At ViralQR, we design static and dynamic QR codes. Our mission is to make business operations easier and customer engagement more powerful through the use of QR technology. Be it a small-scale business or a huge enterprise, our easy-to-use platform provides multiple choices that can be tailored according to your company's branding and marketing strategies.
Our Vision
We are here to make the process of creating QR codes easy and smooth, thus enhancing customer interaction and making business more fluid. We very strongly believe in the ability of QR codes to change the world for businesses in their interaction with customers and are set on making that technology accessible and usable far and wide.
Our Achievements
Ever since its inception, we have successfully served many clients by offering QR codes in their marketing, service delivery, and collection of feedback across various industries. Our platform has been recognized for its ease of use and amazing features, which helped a business to make QR codes.
Our Services
At ViralQR, here is a comprehensive suite of services that caters to your very needs:
Static QR Codes: Create free static QR codes. These QR codes are able to store significant information such as URLs, vCards, plain text, emails and SMS, Wi-Fi credentials, and Bitcoin addresses.
Dynamic QR codes: These also have all the advanced features but are subscription-based. They can directly link to PDF files, images, micro-landing pages, social accounts, review forms, business pages, and applications. In addition, they can be branded with CTAs, frames, patterns, colors, and logos to enhance your branding.
Pricing and Packages
Additionally, there is a 14-day free offer to ViralQR, which is an exceptional opportunity for new users to take a feel of this platform. One can easily subscribe from there and experience the full dynamic of using QR codes. The subscription plans are not only meant for business; they are priced very flexibly so that literally every business could afford to benefit from our service.
Why choose us?
ViralQR will provide services for marketing, advertising, catering, retail, and the like. The QR codes can be posted on fliers, packaging, merchandise, and banners, as well as to substitute for cash and cards in a restaurant or coffee shop. With QR codes integrated into your business, improve customer engagement and streamline operations.
Comprehensive Analytics
Subscribers of ViralQR receive detailed analytics and tracking tools in light of having a view of the core values of QR code performance. Our analytics dashboard shows aggregate views and unique views, as well as detailed information about each impression, including time, device, browser, and estimated location by city and country.
So, thank you for choosing ViralQR; we have an offer of nothing but the best in terms of QR code services to meet business diversity!
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
DEFCON 27 - ALEXANDRE BORGES - dot net malware threats
1. 1
.NET MALWARE THREAT:
INTERNALS AND
REVERSING
DEF CON USA 2019
DEF CON USA 2019
by Alexandre Borges
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
2. DEF CON USA 2019
2
Malware and Security Researcher.
Speaker at DEF CON USA 2018
Speaker at DEF CON China 2019
Speaker at CONFidence Conference
2019 (Poland)
Speaker at HITB 2019 Amsterdam
Speaker at BSIDES
2019/2018/2017/2016
Speaker at H2HC 2016/2015
Speaker at BHACK 2018
Consultant, Instructor and Speaker on
Malware Analysis, Memory Analysis,
Digital Forensics and Rootkits.
Reviewer member of the The Journal
of Digital Forensics, Security and Law.
Referee on Digital Investigation: The
International Journal of Digital
Forensics & Incident Response
Agenda:
Introduction
Managed executable structures
CLR and Assembly Loader details
.NET internals metadata
Modules, assemblies and manifest
.NET program structures
Malicious code through MSIL
.NET debugging
Few GC and synchronous aspects
Conclusion
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
3. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
3
Last talks in conferences:
CONFidence Conference 2019:
https://confidence-conference.org/2019/bio.html#id=37486
slides:
http://www.blackstormsecurity.com/CONFIDENCE_2019_ALEXANDRE.pdf
DEF CON China 2019:
https://www.defcon.org/html/dc-china-1/dc-cn-1-speakers.html#Borges
slides:
http://www.blackstormsecurity.com/docs/DEFCON_CHINA_ALEXANDRE.pdf
HITB Amsterdam 2019:
https://conference.hitb.org/hitbsecconf2019ams/speakers/alexandre-borges/
slides: http://www.blackstormsecurity.com/docs/HITB_AMS_2019.pdf
DEF CON USA 2018:
https://www.defcon.org/html/defcon-26/dc-26-speakers.html#Borges
slides: http://www.blackstormsecurity.com/docs/DEFCON2018.pdf
Malwoverview Tool: https://github.com/alexandreborges/malwoverview
5. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
5
Motivations to this talk about .NET reversing and internals:
Most of the time, professionals are interested in unpacking embedded
resources from a .NET sample.
In another moment, the concern is dumping the unpacked binary from
memory.
Sometimes, we have looked for any unpacking routine to dynamically unpack
the encrypted content.
All of these actions are correct and recommended.
However....
Many people don’t understand .NET metadata components.
Most people based their analysis on the decompiled code, but never on IL.
Malware’s authors have manipulated the IL to attack the system and even the
.NET runtime.
6. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019 6
There are many available methods to infect a system using .NET malware. Most of
the time, a .NET code decrypts and loads a native code (or injects a code into a
target process).
However, there are few approaches that use indirect techniques:
An e-mail comes from the Internet and a first dropper is downloaded.
This dropper fetches a encrypted payload, which contains a native payload
and a managed code.
The payload 1 executes and injects a DLL into a remote chosen process.
This DLL loads (and sometime decrypts) the malicious managed code.
The malicious managed code drops the payload 2 (real and advanced).
The true infection starts.
dropper
(unmanaged)
payload 1
(unmanaged)
vector
(managed)
inject a DLL in
a remote
process
payload 2
Infection
7. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
7
It is not necessary to comment about how to inject a code because the steps are
the same ever-sequence:
CreateToolhelp32Snapshot( ) Module32First( ) Module32Next( )
comparison (wcscmp( ))
VirtualAllocEx( ) WriteProcessMemory( ) CreateRemoteThread( )
WaitForSingleObject VirtualFreeEx( ).
Find the offset of injected DLL from the base module (any testing module).
Use this offset to invoke functions from any injected remote process through
GetProcessAddress( ) + CreateRemoteThread( ).
Thi injected DLL can load the next stage and, eventually, decrypt it.
Obviously, the .NET managed code can be loaded from any process or, even
worse, from an natived injected code (DLL).
After loading it, it is easy to execute it. Our simple case above.
8. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
8
We should remember that a typical native application can also load a .NET runtime
and execute a managed code:
CLRCreateInstance( ): provides the ICLRMetaHost interface.
ICLRMetaHost::GetRunTime( ): gets the ICLRRuntimeInfo.
ICLRRuntimeInfo::GetInterface( ): Loads the CLR into the current process and
returns runtime interface pointers.
ICLRRuntimeHost::ExecuteApplication( ): specifies the application to be
activated in a new domain.
ICLRRuntimeHost::Start( ): starts the the runtime.
ICLRRuntimeHost::ExecuteInDefaultAppDomain( ): invokes a method in the
.NET managed assembly (this steps does not work for all .NET assembly’s
method). Thus, in this case, starts the managed assembly.
Finally, the real infection starts.
9. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
9
We know that .NET malware samples can be very complicated to analyze when
packed and obfuscated.
The .NET framework is composed by:
CLR (Common Language Runtime), which is the .NET engine.
Libraries (System.IO, System.Reflection, System.Collections, ...).
Basically:
source code is written in C#, F#, VB.NET and Powershell.
compiled to CLI (Common Language Infrastruture Code).
executed by the CLR.
Tools used to reverse and analyze .NET malware threats are completely different
than ones used to reverse native language:
dnSpy (excellent)
ILSpy (excellent)
RedGate .NET Reflector
De4dot (deobfuscator)
Microsoft Visual Studio
WinDbg (including SOS.dll extension)
DotPeek
IDA Pro
Microsoft ILASM/ILDASM (Intermediate
Language Assembly/Disassembler)
10. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
10
Other interesting tools to analyze and understand .NET runtime are available:
MemoScope.Net: https://github.com/fremag/MemoScope.Net
Shed -- a .NET runtime inspector: https://github.com/enkomio/shed
SuperDump, for automated crash dump analysis:
https://github.com/Dynatrace/superdump
DumpMiner: https://github.com/dudikeleti/DumpMiner
MemAnalyzer: https://github.com/Alois-xx/MemAnalyzer
Sharplab: https://sharplab.io/
ObjectLayoutInspector to analyze internal structures of the CLR types at
runtime (https://github.com/SergeyTeplyakov/ObjectLayoutInspector)
Tools are excellent to help us, but most .NET malware threats have deployed the
same tricks from native code to make our job harder: packers, obfuscation and
anti-reversing techniques.
.NET Reactor
Salamander .NET Obfuscator
Dotfuscator
Smart Assembly
CryptoObfuscator for .NET
Agile
ArmDot
babelfor.NET
Eazfuscator.NET
Spice.Net
Skater.NET
VM Protect 3.40
11. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
11
There are many obfuscators, which perform:
Control flow obfuscation and dead/junk code insertion.
Renaming: methods signatures, fields, methods implementation, namespaces,
metadata and external references.
Re-encoding: changing printable to unprintable characters
Simple encryption of methods and strings.
Cross reference obfuscation.
Yes, I know... I’ve already talked about de-obfuscation in DEF CON China 2019.
Most time, the real and encoded malicious code (payload) is downloaded and
decrypted/loaded into the memory for execution:
System.Reflection.Assembly.Load( )
System.Reflection.Assembly.LoadFile()
System.Reflection.MethodInfo.Invoke( )
As we already know, Load( )/LoadFile( ) function are usually followed by:
GetType ( ) GetMethod( ) Invoke( ) (this is a typical Reflection approach)
12. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
12
Another possible approach would be:
GetAssemblyName( ) + GetType( ) + GetMethod( ) + Invoke( )
Some “encrypted content” is loaded from as a resource, so it is usual finding the
following sequence:
FindResource( ) + SizeOfResource( ) + LoadResource( ) + LockResource( )
Resources.ResourceManager.GetObject( )
Additionally, we’ve seen techniques using embedded references such as DLLs as
resources through a sequence of calls using:
AssemblyLoader.Attach( ) + AssemblyLoader.ResolveAssembly( ).
As you’ve guessed, AssemblyLoader.ResolveAssembly( ) is used to resolving
assemblies that are not available at the exact time of calling other methods, which
are external references to the binary itself.
Similar to resources mentioned previously, these “external references” (DLL
required by the binary) must be first “decompressed” at most of the time.
17. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
17
As every single malware code, this one is using Reflection to retrieve information in
runtime. In this case also calls the GetExecutingAssembly( ) method to get the
Assembly object, which represents the current assembly.
18. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
18
Therefore, we can extract these resources (DLLs, for example) by using either dnSpy
or ILSpy , decrypt and load them again into the managed code.
Of course, in this case, we’ll be able to see all “hidden” references, finally.
To load the “decrypted” resources into the managed code, we can use ILSpy +
Reflexil plugin (http://reflexil.net/).
Finally, it is necessary to remove the “old” references to the embedded resources
(performed by AssemblyLoader.Attach( )) from the initializer (or removing the whole
initializer) because, at this time, they are “decrypted”.
By the way, Reflexil is able to handle different obfuscators such as Babel NET,
CodeFort, Skater NET, SmartAssembly, Spices Net, Xenocode, Eazfuscator NET,
Goliath NET, ILProtector, MaxtoCode, MPRESS, Rummage, CodeVeil,CodeWall,
CryptoObfuscator, DeepSea, Dotfuscator, dotNET Reactor, CliSecure and so on.
Another interesting point is that calling Win32 APIs through P/Invoke (Platform
Invoke) is always possible.
At end, gaining knowledge in .NET internals and metadata can be interesting.
19. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
19
Most time, there are module/type initializers (similar to TLS in native code)
executing before classes and entry point methods.
.NET protectors hardly change the entry point and, usually, the trick is in the
initializer.
.cctor( ) method is a static class constructor:
called before the Main( ) method (usually set as entry point), for example.
when the module has a .cctor (<Module>::.cctor( )), so it is run before
executing any other class initializers or even an entry point.
It is common finding unpackers, decrypters and hooks in the .cctor( )
method.
Hijacking the ICorJitCompiler::compileMethod( ) is an interesting and useful way to
take the control of the JIT engine because this method is used to create a native
code, so we find managed and native code together.
In this case: .cctor( ) hooking compileMethod( ) hiding/encryting user code.
21. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
21
Malware authors have written malware threats in ILAsm and using constructions
that are not compliance to CLS (Common Language Specification).
In this case, the malware is valid to the runtime engine, though it is not always able
to communicate to other applications.
Metadata works as descriptors for each structure component of the application:
classes, attributes, members, and so on.
Remember that a .NET application is composed by:
managed executable files, which each one contains metadata
managed code (optionally)
.NET Assembly: managed .NET application (modules) + class libraries + resources
files (more information later)
CLR runtime environment: loaders + JIT compiler.
.NET source code .NET compiler module (IL + metadata) CLR ( loaders +
JIT compiler) native instruction Execution Engine
22. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
22
Managed module is composed by:
PE header: If the module contains only IL code, so most of information of
header is ignored. However, if the module also contains native code, so things
are different.
CLR header: contains the version of the CLR, token of Main( ) (natural entry
poiint), resources and so on.
Metadata: describe types and members. Additionally, it helps the GC to track
the life time of objects.
IL (Intermediate Language) code: the managed code.
Managed Modules
Resource Files
Compiler (C#, VB, F#)
+ Linker
Managed Modules
Resource Files
Manifest
.NET Assembly
(.exe or .dll)
23. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
23
PE Header
Native Code /
Data
CLR Header
CLR Data
(ILcode, metadata,
managed resources)
DOS Header
PE Header
Data Directories
(size and location of CLR header)
Section Headers
.text
(includes MSIL and metadata)
.idata
.data
Remaining sections
24. DEF CON USA 2019
24
CLR Header is represented by a structure named IMAGE_COR20_HEADER (defined
in CorHdr.h).
The CLR header + data holds information such as:
Metadata information (size and RVA).
Token of the entry point of the image file (EntryPointTokenField).
Array of v-table fixup Table : used when a managed method is called from an
unmanaged code. Each entry of a v-table holds a token of the target method.
Resource information (size and RVA)
Flags indicating:
32 bits only.
strong assembly
entrypoint of a native code.
Managed resources in contained into .text section (and not .rsrc section).
25. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
25
Metadata is composed by tables such as:
Definition tables: ModuleDef, TypeDef, MethodDef, FieldDef, ParamDef,
PropertyDef and EventDef
Reference tables: AssemblyRef, ModuleRef, TypeRef and MemberRef.
Manifest tables: AssemblyDef, FileDef, ManifestResourceDef and
ExportedTypesDef.
Most malicious .NET malware samples have:
Used code manipulation (encryption/decryption) in .ctor( )/.cctor( )/Finalize( )
Called unmanaged functions from DLLs using P/Invoke.
Used COM components (very usual).
Even a trivial .NET malware, the managed code can be small. (ILDasm.exe
View Statistics)
28. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019 28
Metadata describes all declared or referenced data in a module such as classes,
members, attributes, properties and relationships.
Metadata is organized as a relational database using cross-references and making
possible to find what class each method comes from.
Metadata are represented by named streams, which are classified as metadata
heaps and metadata tables.
slot 1: Class A -- methods at slot 1
slot 2: Class B -- methods at slot 3
slot 3: Class C -- methods at slot 5
slot 4: Class D -- methods at slot 6
slot 5: Class E -- methods at slot 8
slot 1: Method 1 - Classe A
slot 2: Method 2 - Classe A
slot 3: Method 1 - Classe B
slot 4: Method 2 - Classe B
slot 5: Method 1 - Classe C
slot 6: Method 1 - Classe D
slot 7: Method 2 - Classe D
slot 8: Method 1 - Classe E
29. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
29
Metadata heaps:
GUID heap: contains objects of size equal to 16 bytes.
String heap: contains strings.
Blog heap: contains arbitrary binary objects aligned on 4-byte boundary.
There can be 6 named streams:
#GUID: contains global unique identifiers.
#Strings: contains names of classes, methods, and so on.
#US: contains user defined strings.
#~: contains compressed metadata stream.
#-: contains uncompressed metadata stream.
Blob: contains metadata from binary objects.
An important note: compressed and uncompressed named streams are
mutually exclusive.
Metadata heaps:
The schema defines the metadata tables by usings a descriptor.
There are more than 40 metadata tables.
30. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
30
Tokens have 4 bytes, which the first byte determines the metadata table and the
three remaining bytes are the RID.
RID (record identifiers) are used as row indexes in metadata tables.
Tokens determines which metadata tables are being referred.
Unfortunately, tokens don’t cover all tables (auxiliary tables, which are hardcoded).
0(0x0): Module
1(0x1): TypeRef
2(0x2): TypeDef
3(0x3): FieldPtr
4(0x4): Field
5(0x5): MethodPtr
6(0x6): Method
7(0x7): ParamPtr
8(0x8): Param
9(0x9): InterfaceImpl
10(0xa): MemberRef
11(0xb): Constant
12(0xc): CustomAttribute
13(0xd): FieldMarshal
14(0xe): DeclSecurity
15(0xf): ClassLayout
16(0x10): FieldLayout
17(0x11): StandAloneSig
18(0x12): EventMap
19(0x13): EventPtr
20(0x14): Event
21(0x15): PropertyMap
22(0x16): PropertyPtr
23(0x17): Property
24(0x18): MethodSemantics
25(0x19): MethodImpl
26(0x1a): ModuleRef
27(0x1b): TypeSpec
28(0x1c): ImplMap
29(0x1d): FieldRVA
30(0x1e): ENCLog
31(0x1f): ENCMap
32(0x20): Assembly
33(0x21): AssemblyProcessor
34(0x22): AssemblyOS
35(0x23): AssemblyRef
36(0x24): AssemblyRefProcessor
37(0x25): AssemblyRefOS
38(0x26): File
39(0x27): ExportedType
40(0x28): ManifestResource
41(0x29): NestedClass
42(0x2a): GenericParam
43(0x2b): MethodSpec
44(0x2c): GenericParamConstraint
33. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
33
The JIT compiler stores the native instructions in the memory, which it is
discarded after the application terminates. Eventually, we can perform a
memory dump to examine this code.
Check the installed .NET version:
Subdirectories under C:WindowsMicrosoft.NET
clrver.exe
clrver.exe -all
Programming directly in IL (Intermediate Language) can be interesting because:
IL is stack based, so we don’t find any instruction related to register
manipulation.
It is too easy to check, reverse it (ILDasm.exe) and make “customizations”.
Ngen.exe can be used to compile IL instructions to native code.
Of course, CLR checks some details (CLR version, CPU type, Windows
version, and so on) before executing it.
Eventually, malware threats have attacked the .NET runtime to subvert the
system.
34. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
34
In .NET applications:
.NET Assembly:
managed .NET application (modules) + class libraries + resources files
In malware samples, we usually find that resources are encrypted
binaries and DLLs.
contains information such as version, publisher, culture and exported
files.
Remember that the application can download assembly files from a URL
(codeBase element).
.NET malware have used multi-file assemblies, partitioning types over
different files. Unfortunately, it is only possible to create multfile
assembly in the command line.
Few malware authors have create .NET malware containing different
types: such as C# and VB in the same assembly.
The manifest also holds metadata tables containing the names of files that are
part of the assembly: AssemblyDef, FileDef, ManifestResourceDef and
ExportedTypesDef.
35. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
35
Assemblies can be classified as:
private: it is specific of an application and deployed at same directory.
shared: it is shared and used by other applications.
All memory requested by the assembly is really “managed” by CLR, which
“interfaces” this request to the operating system.
Therefore, the CLR is able to control the access to different objects in the
memory between the application domains (like processes), which are
representing the code of assemblies.
Of course, there are permited methods to cross-access requests between
application domains through proxy objects by marshalling objects either by value
or by reference.
As we’ve mentioned previously, manifest is a kind of file to “wrap up everything”,
describing modules, resources and other details of the assembly.
36. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
36
Compile multi-file .NET malware is pretty easy:
csc.exe /t:module hooking.cs
csc.exe /t:module injection.cs
csc.exe /out:malwarelib.dll /t:library /addmodule:hooking.netmodule
/addmodule:injection.netmodule Defcon.cs
In this case, we have a multi-file assembly:
includes a managed module named hooking.netmodule and
injection.netmodule. The output file is a DLL named malwarelib.dll
a manifest file wrapping everything.
This compiling command add the hooking.mod file to the FileDef manifest
metadata table and the its exported types to the ExportedTypeDef manifest
metadata table.
To check: ILDasm View MetaInfo Show! and look for the FileDef and
ExportedTypeDef tables.
37. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019 37
Native modules referred by the
assembly. The module name is
in the ModuleRef.
External assemblies that
referred by the assembly
(AssemblyRef table).
Manifest
Used when a strong
assembly is specified.
40. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
40
Of course, we could have a “big malware module” to use in projects:
al.exe /out: BigMalwareLib.dll /t:library hooking. netmodule injection.
netmodule
csc.exe /t:module /r:BigMalwareLib.dll Defcon.cs
al /out:Defcon.exe /t:exe /main:Defcon.Main Defcon.netmodule
In this case, the __EntryPoint() global function will contain the Defcon::Main( )
function call (check the IL code to confirm it).
Finally, using csc.exe /resource makes simple to add resources (generated by
resgen.exe , for example). It updates the the ManifestResourceDef table.
It is not necessary to mention that malware’s authors usually don’t write strong
assemblies, which as signed with the private/public key pair from the publisher.
Unless that this key pair has been stolen...
csc.exe /out:TestProgram.exe /t:exe Program.cs
sn.exe -k AlexandreBorges.snk
sn.exe -p AlexandreBorges.snk AlexandreBorges.PublicKey sha256
Sn.exe -tp AlexandreBorges.PublicKey
csc.exe /out:TestProgram.exe /t:exe /keyfile:AlexandreBorges.snk Program.cs
42. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
42
Once the system is compromised through a native malware and we have access to
the system as administrator, so it is possible to copy our .NET assembly to the
Global Assembly Cache (GAC). The Registry is not changed.
Once a malicious .NET assembly (first stage, as a resource library) is copied to GAC,
so it can be accessed by other assemblies.
Thus, other malicious .NET malware samples (second stage) can access methods
and types from the first stage.
Only strong assemblies (signed) can be copied to the GAC (located at
C:WindowsMicrosoft.NETassembly) by using GACUtil.exe /i command.
Futhermore, including /r option integrates the assembly with the Windows install
engine.
Unfortunately, the GACUtil.exe is not available in home-user systems, but it is
possible to use the MSI to install the malware threat into the GAC.
At end, it is still feasible to using delay signing, which is a partial signing only using
the public key. Therefore, private key is not used (and there isn’t real protection).
43. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
43
The delay signing allows that the malicious assembly to be installed into the GAC
and, worse, other assemblies can make reference to it.
csc.exe /out:malware.dll /t:exe Program.cs
sn.exe -k AlexandreBorges.snk
sn.exe -p AlexandreBorges.snk AlexandreBorges.PublicKey sha256
sn.exe -tp AlexandreBorges.PublicKey
csc.exe /out:malware.dll /t:exe /keyfile:AlexandreBorges.PublicKey /delaysign
Program.cs
sn.exe -Vr malware.dll (CLR trust in the assembly without using the hash).
It is not so hard to perform a supply-chain attack because, when a file is specified
as reference in the csc.exe compiler using /reference switch, it looks at:
the working directory
csc.exe directory
directory specified by the /lib switch
directory specified by the LIB environment variable.
44. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
44
Several malware samples have been modified or written directly in ILAsm to
bypass common tools.
While ILAsm is not complicated, maybe it is still recommended to remember few
directives and instructions.
.assembly DefCon { }: identifies the current assembly as being DefCon.
.assembly extern <assemblyname>: determines the external managed assembly
used by the program. For example, .assembly extern <mscorlib>
.module malware.dll: identifies the current module.
.namespace Conference: identities the namespace, but it does not represent a
metadata.
.class public auto ansi Hacker entends [mscorlib]System.Object. Its keywords;
.class: identifies the current class (Hacker)
public: specifies the visibility. For example, it could be “private”.
auto: determines the class layout style. It could be “explicit” and
“sequencial”.
ansi: string encode while communicating to unmaged code. Other values are
autochar and unicode.
extends: determines its base class
45. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
45
Other flags for .class directive are:
private: used with private classes, which are not visible outside the current
assembly.
sealed: the current class can’t be derived from this class.
abstract: the current class can’t be instantiated (it holds abstract methods).
explicit: the loader preserve the order of fields in the memory.
sequential: the loader preserves the order of the instance fields as specified
in the class.
nested family: the class is visible from the descendants of the current class
only.
nested assembly: the class is visible only from the current assembly.
nested famandassem: the class is visible from the descendants of the current
class, but residing in the same assembly only.
windowsruntime: the class is a Windows runtime type.
.class public enum Exam: declares a class enumeration named “Exam”.
.ctor( ): instance constructor, which is related to instance fields.
.cctor( ): class constructor (known as type initializer), which is related to static
fields.
46. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
46
During malware analysis, take care: there can be a global .cctor directive, which it
is related to global fields.
call: call a method. Its possible keywords:
return type: void, int32, and so on.
vararg: variable number of arguments
calli: directive used to call methods indirectly by taking arguments + function
pointer.
ldc.i4.0
ldc.i4.1
ldc.i4.2
ldftn void DefCon::Test(int32, int32, int32)
calli void(int32, int32, int32)
(method reference):
call instance void DefCon::Exam(int32, int32, int32)
call instance [.module malware.dll]::Hooking(int32, int32, native int)
47. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
47
.field: specifies a variable of any type declared directly in the class (or struct). Its
main keywords can be:
public / assembly / family (accessed by any decending class) / private
static (shared by all instances of the referred class).
.method: specifies the method declaration. Its main keywords (flags) can be:
public / static: similar meaning as especified in “field” explanation above.
cil managed: it means this method is represented in managed code.
newslot: creates a new slot in the virtual table of the class to prevent that a
existing method (same name and signature) to be overriden in a derived class.
native unmanaged: it means this method is represented in a native code.
abstract: of course, no implementation is provided.
final: as known, the method can’t be overridden.
virtual: method can be “redefined” in derived classes.
strict: this method can only be overridden whether it is accessible from the
class that is overriding it. Of course, the method must be virtual.
noinline: it is not allowed to replace calls to this method by an inline version.
pinvokeimpl: declares an unmanaged method from a managed code (it’s is
also known as P/Invoke mechanism).
48. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
48
.method public hidebysig static pinvokeimpl("user32.dll" winapi) int32
FindWindow(string,string) cil managed preservesig
preservesig: return of method must be preserved.
FindWindows(string,string): function invoked from the “user32.dll” and that
returns a int32 value.
.class public DefCon implements InterfaceA,InterfaceB {
.method void virtual int32 IfB_Speaker(string) {
.override InterfaceB::Speaker
...
}
.class public DefConChina extends DefCon {
.method public specialname void .ctor( ) {
ldarg.0
call instance void DefCon::.ctor( )
ret }
callvirt instance void DefCon::IfB_Speaker( )
49. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
49
.entrypoint: identifies the method as the entry point of the assembly.
.maxstack: defines the maximum stack depth used by the function code
.locals int: defines the local variable of the current method and the “init” keyword
is initializing the variable with “zero” (for example, a integer variable).
.data <var_1>: defines a data segment named “var_1”.
stloc <var>: retrieves the value returned by the call and stores into the “var”
variable.
ldarg.0: Load argument 0 onto the stack.
ldloc <var>: copies the value of “var” onto the stack. Variants, after optmization
and run, such as ldloc.0, ldloc.1, ldloc2 and ldloc3 (representing the first local
variables) are possible.
ldstr: loads the reference to a string onto stack.
ldsflda: loads the reference of a static field onto the stack.
ldsfld: loads the value of a static field onto the stack.
ldc.i4 8: loads the constant value 8 onto the stack.
50. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019 50
br Borges: its unconditional jump similar to “jmp” in native assembly. In this case,
jumping to “Borges” label.
brtrue DefCon: takes an item from stack and, if it is zero, so jumps to “Alex”
branch. Similar to jz instruction.
brfalse Alex: takes an item from stack and, if it is one, so jumps to “Alex” branch.
Similar to jnz instruction.
.this: it is a reference to the current class (not instance of the class like C++).
.base: it is a reference to the parent of the current class.
.typedef: creates a alias to a type.
.try / catch: the same meaning of traditional C language.
51. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
51
auto: loader defines the
“best lay out” in the
memory”
nested and sealed class!
specialname flag helps
the loader to
understand this is a
special function
(constructor)
Remember that a field is a variable of any type that is
declared directly in a class or struct.
52. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
52
instance
constructor
load argument 0 onto the stack.
reserving 8 slots for arguments.
push 0 onto stack as int32.
loads a string reference onto stack.
replaces the value of a field with a value from stack.
Using a custom attribute statement to set
the value of CompilerGeneratedAttribute .
54. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
54
It calls a virtual method, which can
be overriden the the derived class.
It loads -1 onto the stack.
Calls a static method named GetCurrentProcess( ) from
Process class (within namespace System.Diagnostics) and
returning an instance of Process class.
Duplicate the value of
the top of the stack.
legal instructions to way
out of a “try block.”
56. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
56
family: can be accessed by any class
descending from the current one.
ldfld: loads the instance field onto the stack.
ldsfld: loads the static field onto the stack.
Event declaration. We should
remember that all events must
have a subscribing method
(.addon ) and a unsubscribing
method (.removeon), at least.
Cleaning up
57. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019 57
Declaring three local class variables in
three different slots: 0, 1 and 2. We should
remember that, eventually, slots of same
type can be reused. However, it is another
talk...
58. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019 58
Finally, when the publisher calls the Invoke method of the
aggregate delegate, so the event is raised.
Delegates are references representing “type-safe”
function pointers. Thus, Combine( ) adds callback
function pointers to an aggregate, which is used to
implement the event.
Generic Delegate! Compares the second and third arguments and, if
it’s equal, replace the first argument (!!0&).
60. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019 60
pushes a null references onto the stack
converts to int64 and pushes it onto the stack
converts to int32 and throws an exception when overflow
declares and initializes the local variable
Function used to decrypt strings
loads the local variable onto stack.
61. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
61
As mentioned previously, a managed assembly can be compiled into a native image
and installed by using Ngen.exe, but the managed assembly is still necessary.
DLL loaded from the Global Assembly Cache can and need to be monitored to
detect strange behavior. Tools to log the DLL loading such as Fuslogvw.exe
(Assembly Bind Log Viewer) and common applications such as Process Monitor can
help us.
Of course, .NET malware threats can try to compromise the .NET runtime class
libraries and JIT, which would cause a deep infection in the system and demand a
detailed investigation because:
changing the runtime library (at IL code) can be lethal to many applications.
it is feasible to change (hooking)/replace a runtime library.
changing the runtime library allows the threat to “break” some strict rules.
Changing JIT cause same problems, but it is harder.
Remember about basics:
copy DLL from GAC dnSpy/Reflector + Reflexil ildasm change ilasm
Ngen copy back to GAC (malware dropper can accomplish this task)
62. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
62
Of course, nothing is so simple:
If the malware’s target is a DLL from .NET runtime, so it is digitally signed and
it would be necessary to have the private key to sign it. Unfortunately, we
don’t have.
Another option would be to generate a new pair of keys and re-sign all the
DLL Framework. Unfortunately, it is so much work.
Copying a modified runtime DLL over the existing one can be difficult or
almost impossible because other programs can be using it. Thus, we should
stop programs and services to accomplish this task.
Eventually, it is necessary to reboot the machine (urgh!) to perform this copy
from a script.
Using the new and modified DLL can be tricky: uninstall the existing native
library (ngen uninstall <dll>) and remove it from its respective directory
under NativeImages_<version> directory.
There are other many tricks such as dropping an assembly into C:WindowsSystem32
or Syswow64)TasksTasks.dll (hint from Casey Smith)
63. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
63
An alternative would be change the Registry. In this case, the GAC continue
being associated to the original (and untouched) assembly, while its
associated native image is changed to the modified version.
In this case:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesInd
exv2.0.50727_64IL key holds information (name + signature key)
about the original assembly.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesInd
exv2.0.50727_64NI key would hold information (name + MVID) about
the modified native image.
Using the MVID from NI key makes simple to locate the native image.
Thus, we can either override the native image with a modified version or
change the MVID entry to point to another native image.
GAC (old .NET assemblies) / GAC_32 (IL and x86) / GAC_64 (IL and x64) /
GAC_MSIL (IL code) directories are under C:WindowsAssembly directory.
64. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
64
Most of the time, .NET malwares attacking the .NET libraries try either to remove
some check or introduce hooking points at entry or exit of a method. In this
case, System.Reflection is commonly used.
Additionally, there are cases of .NET malware threats attacking applications and
the service management offered by System.ServiceProcess.ServiceBase class and
their associated method such as OnStart( ), OnStop( ), Run( ), ServiceMain( ) and
so on.
Modifying a target code for changing the execution flow demands inserting
references (.assembly extern directive) to signed libraries (version + public key)
to be able to access member and call methods.
Of course, we should remember to increase the stack (.maxstack).
At end, we have multiple types of attacks from a malicious managed code by
establishing a C2, intercepting communication with trusted websites, opening
shells, gathering system information, launching native second stage droppers,
intercepting filesystem communication, stealing information and so on.
65. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
65
WinDbg is always an excellent tool to understand a .NET malware in a better way
or even getting a basic understanding, at least.
Install SOSEX extension:
Download it from http://www.stevestechspot.com/downloads/sosex_64.zip
or http://www.stevestechspot.com/downloads/sosex_32.zip
Unpack it and copy to your WinDbg installation directory. For example:
C:Program Files (x86)Windows Kits10Debuggersx64|x86
Attach the WinDbg to either a running application (the .NET malware) or a saved
dump.
Remember that the CLR process is composed by:
System Domain
Shared Domain
Default Domain
code running at this domains can’t access resources from another
application domain.
66. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019 66
0x25B05A: Entry Point from dumpbin /headers malware1.exe
Remember:
Malware execution
Win loaders find the PE’s entry point
Jump to mscoree.dll
Call to CorExeMain
Return to assembly’s entry point.
Disassembling CorExeMain( ) from the start.
We could have used before this point: sxe ld mscorwks.dll ; g
71. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019 71
Get a list of managed threads. Of
course, we could used the -special
option to get additional information.
Checks the
unmanaged stack
trace for this thread.
COM Threading Model:
STA: Single Thread Apartment
MTA: Multi Thread Apartment
Threat state:
(0x0) Newly
initialized thread.
(0x020) It can enter
a Join.
(0x200) background
thread.
73. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
73
Checks the managed stack
Display information about the MethodDesc structure
Dump the MethodDesc structure at this address.
Method definition.
Remember: Metadata token is
composed by a Table Reference (1 byte)
and a Table Index (3 byte).
76. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019 76
Dump information about the Method Table
Dump information about the Method
Table and display a list of all methods.
Code is PreJIT compiled
Type definition
EEClass data structure is similar to
the method table, but it stores
fields that are used less frequently.
77. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019 77
Dump information about a specific module
Dump information about the assembly (as shown previously)
Data accessed and/or updated less frequently
Data accessed and/or updated very frequently
Data used to help COM operations
81. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019 81
Shows information about the EEClass structure
Set up a breakpoint on a code that is not JIT yet.
Displays the MethodTable
structure and EEClass structure
of test.Client.Verbunden method.
Displays the MethodDesc
structure information
84. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019 84
As a general overview, during allocation requests:
If the maximum expected memory for the Gen0 is
exceeded, collect non-rooted objects and promote
rooted objects to Gen 1.
The same approach is valid when collecting objects
from Gen 1 and Gen 2.
If Gen 2 is exceeded, so GC adds a new segment to
Gen 2.
Objects in Gen 0 and 1 are short-lived.
Reference chain
to the object
from stack...
from handle tables...
85. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
85
The Finalization Queue contains
objects with finalizers (Finalize( )).
When an object in Finalization
Queue becomes rootless, so the
GC put it into the f-reachable
queue, which are considered
garbage (but alive).
87. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019 87
Dumps the process
to later analysis
Look for the string in
the managed heap.
It shows information about locks
Make easier to find deadlocked threads
Displays information
about a type or variable
It could seems unbelievable,
but some malware samples
don’t work because deadlocks
If there is some deadlock, so
use the DumpObj command to
find additional information
about the thread.
CCW: COM Callable Wrapper
RCW: Runtime Callable Wrapper,
which intercepts, manage the
object’s lifetime and the
transition between managed
code and native code.
88. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019 88
Remember that an event works as
synchronization object.
When an event happens (going from
non-signaled state to signaled state), the
waiting thread (WaitForSingleObject( ))
starts its execution.
Auto reset: If the event is signaled, so
allows the thread being release and it is
automatically reset to non-signaled state.
Manual reset: the event remains in
signaled state until being intentionally
reset.
Other synchonization techniques could
be Semaphores, ReaderWriterLock,
Mutex and so on...
It shows specific-object handle information
90. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019 90
Get objects (and their respective metadata) stored
in the heap. To a short output, use !DumpHeap -stat
Dumps the heap, but
limit the output to the
specified type name.
Class !
92. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019 92
Boxing turns a value type
into an object reference
(reference type)
Unboxing turns a object
reference into a value type
!DumpIL displays the IL
instructions of a method
94. ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
DEF CON USA 2019
94
Other possible WinDbg breakpoints that could be used to gather further
information:
How to log API calls:
bp mscorwks!MethodTable::MapMethodDeclToMethodImpl
bp clr!MethodTable::MapMethodDeclToMethodImpl
How to get possible strings:
!bpmd mscorlib.dll System.String.CreateStringFromEncoding
!bpmd mscorlib.dll System.String.Intern
!bpmd mscorlib.dll System.Text.StringBuilder.ToString
bp mscorwks!GlobalStringLiteralMap::GetStringLiteral
bp clr!StringLiteralMap::GetstringLiteral
How to examine loaded assemblies:
bp mscorwks!CLRMapViewOfFileEx
bp clr!AssemblyNative::LoadFromBuffer
98. DEF CON USA 2019 98
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
Acknowledgments to:
DEF CON staff, who have been always very kind with
me.
You, who have reserved some time attend my talk.
Security is like a drunk: while walking back-and-forth, he
always proceeds halfway through the remaining distance,
but he never gets there.
Remember: the best of this life are people.
99. DEF CON USA 2019
99
Malware and Security Researcher.
Speaker at DEF CON USA 2018
Speaker at DEF CON China 2019
Speaker at CONFidence Conference
2019 (Poland)
Speaker at HITB 2019 Amsterdam
Speaker at BSIDES
2019/2018/2017/2016
Speaker at H2HC 2016/2015
Speaker at BHACK 2018
Consultant, Instructor and Speaker on
Malware Analysis, Memory Analysis,
Digital Forensics and Rootkits.
Reviewer member of the The Journal
of Digital Forensics, Security and Law.
Referee on Digital Investigation: The
International Journal of Digital
Forensics & Incident Response
THANK YOU FOR
ATTENDING MY TALK.
Twitter:
@ale_sp_brazil
@blackstormsecbr
Website: http://www.blackstormsecurity.com
LinkedIn: http://www.linkedin.com/in/aleborges
E-mail: alexandreborges@blackstormsecurity.com
ALEXANDREBORGES–MALWAREANDSECURITYRESEARCHER
Blackstorm Security: we offer one of best
training courses around the world.