Managed Code with Licensing does not always mean Software Protection. R3JlSGFjayAyMDEyIC0gMXN0IFBhbmljaw0KVGhhbmtzIFBoaWwgZm9yIHRoZSB0ZW1wbGF0ZQ==

Transcription

1 Managed Code with Licensing does not always mean Software Protection R3JlSGFjayAyMDEyIC0gMXN0IFBhbmljaw0KVGhhbmtzIFBoaWwgZm9yIHRoZSB0ZW1wbGF0ZQ==

2 OVERVIEW

3 OVERVIEW Console static void WriteLine() JITCompiler static void WriteLine(string) JITCompiler Managed EXE static void Main() { Console.WriteLine( Hello ); Console.WriteLine( Goodbye ); } MSCore.dll JITCompiler function { 1. In the assembly that implements the type (Console), look up the method (WriteLine) being called in the metadata. 2. From the metadata, get the IL for this method. 3. Allocate a block of memory. 4. Compile the IL into native CPU instructions; the native code is saved in the memory allocated in step Modify the method s entry in the Type s table so that it now points to the memory block allocated in step Jump to the native code contained inside the memory block. } Native CPU Instructions Drawing Source : CLR via C# (Jeffrey Richter)

4 OVERVIEW Console static void WriteLine() JITCompiler static void WriteLine(string) Native Managed EXE static void Main() { Console.WriteLine( Hello ); Console.WriteLine( Goodbye ); } MSCore.dll JITCompiler function { 1. In the assembly that implements the type (Console), look up the method (WriteLine) being called in the metadata. 2. From the metadata, get the IL for this method. 3. Allocate a block of memory. 4. Compile the IL into native CPU instructions; the native code is saved in the memory allocated in step Modify the method s entry in the Type s table so that it now points to the memory block allocated in step Jump to the native code contained inside the memory block. } Native CPU Instructions Drawing Source : CLR via C# (Jeffrey Richter)

5 OVERVIEW C# C#C# Resource Resource Resource csc.exe /t:module Stringer.cs csc.exe /addmodule:stringer.netmodule/t:module Client.cs Assembly PE/COFF Header CLR Header.netmodule CLR Data MetaData IL Code.netmodule.netmodule.netmodule Resource Resource Sections natives (.data,.rdata,.reloc,.rsrc,.text) al.exe Client.netmodule Stringer.netmodule/main:MainClientApp.Main /out:myassembly.exe/target:exe

6 C# Assembly Structure Playing with an Assembly is like playing with Russian dolls Icon Source:

7 HexdecimalView HelloWorld.exe

8 OVERVIEW CLR HEADER SECTION HEADER # of Sections * 40 bytes.text /.reloc/.rsrc Virtual Size / Virtual Address / Raw Size / Raw Address OPTIONAL HEADER? Bytes This one is a gold mine. 0x80 NT HEADER + FILE HEADER PE00 24 bytes Machine : Intel 386 / EFI Byte Code Characteristics : Executable, DLL, System File, 32 bit word machine. MS DOS Stub Program 64 bytes 0x00 MZ MS DOS Header e_lfanew 64 bytes

9 Optional Header.NET Directory Debug Directory Export Directory.NET MetaData Directory RVA.NET MetaData Directory Size Import Directory Section Headers [x] OPTIONAL HEADER Data Directories Debug Information Type : CodeView / COFF / Fixup/ CLSID # of entries Import Directory RVA Export Directory RVA Debug Directory RVA.NET MetaData Directory RVA PE32 PE64 Header Subsystem : Windows Console / Windows GUI / EFI BootDriver/ EFI Application DllCharacteristics: Dll can move, NX Compatible, using SEH

10 .NET Directory MetaData Header Signature (BSJB) Major / Minor Version Reserved Version Length Version String Flags Number Of Streams MZ - Mark Zbikowski BSJB - Brian Harry, Susan Radke-Sproull, Jason Zander, and Bill Evans Resources Strong Name Signature.NET Directory ManagedNativeHeader RVA ExportAddressTableJump RVA StrongNameSignature RVA Resources RVA MetaData RVA Flags EntryPointToken IL only, IL Library, 32 bit required, Strong Name Signed Eg. 0x (More details later)

11 .NET MetaDataHeader / Stream #Blob #GUID Contains all the assembly metadata #~ MetaData Stream #~ #Strings #US #GUID #Blob MetaData Header Signature (BSJB) Major / Minor Version Reserved Version Length Version String Flags Number Of Streams Namespace, type and member names are stored String directly used in the program ( Hello world ) Stores GUIDs used throughout the assembly Heap for storing pure binary data method signature, generic instantiations

12 .NET Assembly Metadata AssemblyRef Assembly CustomAttribute MemberRef Param Method TypeDef TypeRef Module Tables Header Major / Minor Version HeapOffsetSizes. Mask Valid Mask Sorted Each row references an external assembly It stores information about the current assembly It indexes a constructor method the owner of that constructor method is the Type of the Custom Attribute. Each row represents an imported method Each row represents a method s param Each row represents a method in a specific class Each row represents a class in the current assembly Each row represents an imported class, its namespace and the assembly which contain it Represents the current Assembly Tells if the #String / #Guid/ #Blob are > 2^16 (Word / DWordfor an index) Bit field of table types: 0x Module / 01 TypeRef/ 02 TypeDef/ 04 -Field/ 06 MethodDef 08 Param/ 09 -InterfaceImpl/ 10 MemberRef/ 11 Constant Bit set means available Bit field of table types: 0x FA00

13 .NET Example using System;. namespace HelloWorld { class Program { static void PrintHelloWolrd() { Console.Out.WriteLine("Hello World..."); } Stored in the TypeDef Stored in the Method table static void PrintHelloWolrd2() { Console.Out.WriteLine("Hello World2..."); } Stored in the #US MetaData Streams TypeRef Table } } static void Main(string[] args) { Program.PrintHelloWolrd(); } MemberRef table Param table

14 .NET Example 1. Each table is a structured byte stream 2. Easy to compute its size 3. Header (Tiny or Fat) Tiny : No Exception, Max stack 8, no local variable (1 byte) Fat: Signature, Code Size, Stack Size (14 bytes) 0xD0, 0x20, 0x00, 0x00, 0x00, 0x00, 0x91, 0x00, 0x43, 0x00, 0x0A, 0x00, 0x01, 0x00 RVA 4 Bytes 0xD Points to the IL Code (More to come) Impl Flags 2 Bytes 0x0000 Click here Flags 2 Bytes 0x9100 Click here Name 2 Bytes 0x4300 Index in String Stream (#String) Signature 2 Bytes 0x0A00 Index in Blob Stream (#Blob) Param List 2 Bytes 0x0001 Index in the Parameter Table

15 Method DefTable Method #1 ( ) MethodName: PrintHelloWolrd( ) Flags : [Private] [Static] [HideBySig] [ReuseSlot] ( ) RVA : 0x000020d0 ImplFlags: [IL] [Managed] ( ) CallCnvntn: [DEFAULT] ReturnType: Void No arguments. Signature : Method #2 ( ) MethodName: PrintHelloWolrd2 ( ) Flags : [Private] [Static] [HideBySig] [ReuseSlot] ( ) RVA : 0x000020e3 ImplFlags: [IL] [Managed] ( ) CallCnvntn: [DEFAULT] ReturnType: Void No arguments. Signature : Method #3 ( ) [ENTRYPOINT] MethodName: Main ( ) Flags : [Private] [Static] [HideBySig] [ReuseSlot] ( ) RVA : 0x000020f6 ImplFlags: [IL] [Managed] ( ) CallCnvntn: [DEFAULT] ReturnType: Void 1 Arguments Argument #1: SZArray String Signature : d 0e 1 Parameters (1) ParamToken: ( ) Name : args flags: [none] ( )

16 IL Code (HelloWorld.exe) 2 Method Table 1 PrintHelloWorld 2 PrintHelloWorld2 3 Main 4 -.ctor 1 PE Header EntryPointToken : 0x x20D0 Flags (Static, Private ) ImplFlags(IL, managed ) Signature Parameter List 3 4 Opcode Instruction 00 nop call 0x nop 2A ret

17 Opcode Opcode Instruction 00 nop call 0x nop 2A ret Format Assembly Format Description 28 < T > call methoddesc Call the method described by methoddesc. The call instruction calls the method indicated by the method descriptor passed with the instruction. The method descriptorisametadatatokenthatindicatesthemethodtocallandthenumber,type,andorderoftheargumentsthat havebeenplacedonthestacktobepassedtothatmethodaswellasthecallingconventiontobeused Easy to patch, we can change the metadata token in order to invoke another method, can be done with an hexadecimal editor. Eg. Convert 0x to 0x PrintHelloWorld to PrintHelloWorld2

18 Easy You said. class Program { static void Main(string[] args) { new PrintLib().PrintHelloWolrd(); } } Table Relation Opcode Instruction 00 nop A newobj0xa A call 0x0A nop 2A ret Icon Source: YouneedtomanipulatethemetadataandnotonlytheILcode What stobedone: 1. AddanentryintheTypeRef 2. AddanentryintheMemberRef 3. ModifytheILCodeofthemainmethod All operations will impact the binary and for sure the PE Header(Section size, directory, RVA )

19 Live Attack Managed EXE static void Main() { Console.WriteLine( Hello ); Console.WriteLine( Goodbye ); } Console static void WriteLine() JITCompiler static void WriteLine(string) JITCompiler MSCore.dll JITCompiler function { 1. In the assembly that implements the type (Console), look up the method (WriteLine) being called in the metadata. 2. From the metadata, get the IL for this method. 3. Allocate a block of memory. 4. Compile the IL into native CPU instructions; the native code is saved in the memory allocated in step Modify the method s entry in the Type s table so that it now points to the memory block allocated in step Jump to the native code contained inside the memory block. } Opcode Instruction 00 nop 17 ldc.i4.1 0A stloc.0 06 ldloc.0 2A ret Native CPU Instructions Icon Source:

20 Live Attack Example public Boolean IsValidPassword(String encryptedpassword) { if (encryptedpassword.equals("ironfzup0rbdw7heucgurg==", StringComparison.InvariantCultureIgnoreCase) == true) { return true; } } return false;.method public hidebysig instance bool IsValidPassword(string encryptedpassword) cil managed // SIG: E { // Method begins at RVA 0x2050 // Code size 31 (0x1f).maxstack 3.locals init ([0] bool CS$1$0000, [1] bool CS$4$0001) IL_0000: /* 00 */ nop IL_0001: /* 03 */ ldarg.1 IL_0002: /* 72 (70) */ ldstr "IRoNFZup0RbDw7heucGuRg==" IL_0007: /* 19 */ ldc.i4.3 IL_0008: /* 6F (0A) */ callvirt instance bool [mscorlib]system.string::equals(string, valuetype [mscorlib]system.stringcomparison) IL_000d: /* 16 */ ldc.i4.0 IL_000e: /* FE01 */ ceq IL_0010: /* 0B */ stloc.1 IL_0011: /* 07 */ ldloc.1 IL_0012: /* 2D 05 */ brtrue.s IL_0019 IL_0014: /* 00 */ nop IL_0015: /* 17 */ ldc.i4.1 IL_0016: /* 0A */ stloc.0 IL_0017: /* 2B 04 */ br.s IL_001d IL_0019: /* 16 */ ldc.i4.0 IL_001a: /* 0A */ stloc.0 IL_001b: /* 2B 00 */ br.s IL_001d IL_001d: /* 06 */ ldloc.0 IL_001e: /* 2A */ ret } // end of method Program::IsValidPassword Opcode Instruction 00 nop 17 ldc.i4.1 0A stloc.0 06 ldloc.0 2A ret

21 Protected Code Obfuscation : In software development, obfuscation is the deliberate act of creating obfuscated code, i.e. source or machine code that is difficult for humans to understand. public bool(string) { return.equals(.(195), StringComparison.InvariantCultureIgnoreCase); } VS Icon Source: WhatIhaveseen. Unicode(eg. Vs IsValidPassword) String Encryption(Inject a code for String Decoding Capture via a Library) PE Header Modification (Invalid number of data directories in NT Header!!! or SuppressIldasmAttribute or Multiple#GUID heaps)

22 Avoid bad practice Donotthink.Withthismysoftwareissecured Hashed(MD5, SHA, ) or Algorithm for public-key cryptography(rsa ) Secure transport(https) Obfuscation is my security Weakness arenotintheusageofsuchgoodelementsbuthowyouuseit!!!! Eg.AvoidSimpleTypes ILCodeattack Returnbool eg.checkpassword,isvalidpassword. ReturnString eg.gethash,getencryptedpassword. Eg. Structure Types Inject Assembly with the same signature Return a structure with some authorization Secure{ Int: SessionCount; Int: MaxPlugin; }.

23 Check this out Links Roslyn Project: Microsoft: Books Expert.NET 2.0 IL Assembler- Author: Serge LIDIN CLRviaC#-AuthorJeffreyRichter Tools Microsoft: ILDASM ILSpy: CFF: Reflector: Icon Source: Reflexil: Cecil: DigitalBodyGuard:

24 Questions Icon Source: Tell me and I'll forget; show me and I may remember; involve me and I'll understand.

25 Method ImplFlags Back

26 Method Flags Back

27 String (String Stream) Back

28 Table Relations TypeSpec Table ModuleRef Table TypeRef Table MethodImpl Table TypeDef Table MemberRef Table Method Table Param Table MethodSpec Table Constant Table FieldMarshal Table Back Drawing Source :.NET 2.0 IL Assembler (Serge Lidin) Metadata tables related to method definition and referencing