We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

.NET Malware Threats: Internals And Reversing

00:00
subtitles
off
playback rate
1
subtitles
off
English (auto-generated)
playback rate
0.25
0.5
0.75
1
1.25
1.5
1.75
2
quality
576p
57
 Cite
 Share
 Related Material
 Download Purchase
No logo availableDEF CON
 Borges, Alexandre

Formal Metadata

Title
.NET Malware Threats: Internals And Reversing
Title of Series
Number of Parts
335
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
.NET malware is well-known by security analysts, but even existing many tools such as dnSpy,.NET Reflector, de4dot and so on to make the analysis easier, most professionals have used them as a black box tool, without concerning to .NET internals, structures, MSIL coding and details. In critical cases, it is necessary have enough knowledge about internal mechanisms and to debug these .NET threats using WinDbg. Unfortunately, .NET malware samples have become very challenger because it is so complicated to deobfuscated associated resources, as unpacking and dumping them from memory. Furthermore, most GUI debugging tools does an inside view of mechanisms such as CRL Loader, Managed Heap, Synchronization issues and Garbage Collection. In the other side, .NET malware threats are incredibly interesting when analyzed from the MSIL instruction code, which allows to see code injections using .MSIL and attempts to compromise .NET Runtime keep being a real concern. The purpose of this presentation is to help professionals to understand .NET malware threats and techniques by explaining concepts about .NET internals, mechanisms and few reversing techniques. Alexandre Borges Alexandre Borges is a Security Researcher, who has been daily working on Reverse Engineering and Digital Forensic Analysis for many years. He has taught training courses about Malware and Memory Analysis, Digital Forensics Analysis and Mobile Forensics around the world. Furthermore, Alexandre is the creator and maintener of Malwoverview triage tool.
00:00
Information securityMalwareMultiplication signMalwareRoundness (object)TrailReverse engineering.NET FrameworkWeightInformation securityGoodness of fitComputer animation
00:42
Interior (topology)DialectData structureAssembly languageBootingMetadataModul <Datentyp>MalwareWell-formed formulaSpeciesInformation securityDigital signalHacker (term)Computer forensicsDependent and independent variablesMathematical analysisRead-only memoryWeightSlide ruleMaxima and minimaMenu (computing)Presentation of a groupConfidence intervalMultiplication signLine (geometry)CuboidSource codeJSON
01:20
Sample (statistics)Read-only memoryContent (media)Mathematical analysisCodeGroup actionMetadataComponent-based software engineeringInformation securityWeightBinary file.NET FrameworkMalwareRead-only memoryBinary codeRun time (program lifecycle phase)Intermediate languageAuthorizationCoroutineCartesian coordinate systemBitEncryptionError messageMetadataInformationWeightType theoryComputer animationSource codeJSON
02:56
Information securityPhysical systemMalwareWeightCodeStructural loadProcess (computing)InternetworkingComputer wormCodeComputer wormInternetworkingMachine code.NET FrameworkBitDrop (liquid)Formal languageCASE <Informatik>Process (computing)Structural loadMalwareMultiplication signRead-only memoryData managementEncryptionSource code
05:03
CodeInformation securityFunction (mathematics)Process (computing)Level (video gaming)Module (mathematics)Software testingPairwise comparisonRun time (program lifecycle phase)Assembly languagePointer (computer programming)Interface (computing)Time domainWeightElectric currentSlide ruleInjektivitätDifferent (Kate Ryan album)Read-only memoryCodeInverse elementMachine codeCASE <Informatik>Interface (computing)Structural loadInstance (computer science)Computer animation
05:56
CodeStructural loadElectric currentProcess (computing)Run time (program lifecycle phase)Interface (computing)Pointer (computer programming)Time domainWeightAssembly languageDomain nameCartesian coordinate systemRun time (program lifecycle phase)Computer wormInterface (computing).NET FrameworkMeta elementSource codeJSON
06:49
Visual systemWeightLogic gateReflection (mathematics)Extension (kinesiology)Formal languageMalwareSource codeCommon Language InfrastructureInformation securityRun time (program lifecycle phase)Physical systemPlasma displayMalwareAuthorizationLibrary (computing)SoftwareRead-only memoryProcess (computing)Source codeWeightFormal languageComputer animationSource codeJSON
07:39
Run time (program lifecycle phase)Core dumpMathematical analysisType theoryData structureMaizeMalwareInformation securityWeightCodeInheritance (object-oriented programming)Assembly languageCryptographyMalwareSource codeJSON
08:31
Information securityStructural loadFunction (mathematics)Field (computer science)ImplementationRing (mathematics)Physical systemReflection (mathematics)Assembly languageCodeControl flowInsertion lossMetadataCodierung <Programmierung>Reflection (mathematics)SequenceSocial classKontrollflussStructural loadString (computer science)FunktionalanalysisAssembly languageMultiplication signMalwareDot productComputer fileInformationCodeGame controllerComputer wormSource codeJSON
10:29
MalwareInformation securitySequenceAssembly languageBinary fileRun time (program lifecycle phase)SequenceMathematical analysisAssembly languageMalwareStructural loadComputer wormJSON
11:38
Point (geometry)Green's functionSpecial functionsGreatest elementSocial classMalwareFunktionalanalysisEvent horizonAssembly languageBuffer solutionCache (computing)Source codeException handlingDirect numerical simulation
12:26
Assembly languageVariable (mathematics)FunktionalanalysisCASE <Informatik>Machine codeUniform resource locatorHyperlinkAttribute grammarSource code
13:42
Table (information)Slide ruleInformation securityOvalFlagStack (abstract data type)Fluid staticsMachine codeSign (mathematics)CodeIntermediate languageTable (information)FunktionalanalysisImplementationGreatest elementNumberSubject indexingData managementMetadataFlagComputer fileCASE <Informatik>
14:50
Information securityGamma functionLengthAssembly language1 (number)InformationMalwareReflection (mathematics)CodeRun time (program lifecycle phase)System callMalwareComputer fileAssembly languageCASE <Informatik>InformationGreatest elementStructural loadContent (media)Flow separationBitSystem callPoint (geometry)Run time (program lifecycle phase)CodeIntermediate languageReflection (mathematics).NET FrameworkSource code
15:42
Information securityCodeWeightMachine codePlastikkarteAssembly language.NET Framework.NET FrameworkDrop (liquid)Intermediate languageMalwareEncryptionStructural loadCodeDirect numerical simulationPlug-in (computing)BitMetadataCASE <Informatik>WeightSource code
17:06
Information securityModule (mathematics)Transport Layer SecuritySimilarity (geometry)CodeSocial classControl flowWeightFluid staticsConstructor (object-oriented programming)Gamma functionSpywareInclusion mapMalwareHookingJust-in-Time-CompilerCodeFunktionalanalysisRun time (program lifecycle phase)Constructor (object-oriented programming)Social classAuthorizationEncryptionWeightHacker (term)Flow separation.NET FrameworkCompilerSource codeJSON
19:08
WeightInformation securitySocial classAssembly languageRun time (program lifecycle phase)CompilerIntegrated development environmentEuclidean vectorData structureMetadataInformationComputer fileAttribute grammarCode.NET FrameworkMalwareEmailCodeInformationMetadataCartesian coordinate systemComputer animationJSON
19:54
Information securityModule (mathematics)InformationCodeToken ringEmailRevision controlTrailType theoryFormal languageObject (grammar)CompilerAssembly languageWeightModul <Datentyp>Computer fileLinker (computing)Machine codeSheaf (mathematics)MetadataCompilerIntermediate languageComputer file.NET FrameworkEmailRevision controlView (database)Machine codeJSONComputer animation
20:52
Sample (statistics)Table (information)Field (computer science)Module (mathematics)Computer fileAssembly languageComa BerenicesCodeInformation securityMetadataEncryptionConstructor (object-oriented programming)Function (mathematics)Component-based software engineeringData typeCategory of beingEvent horizonCASE <Informatik>InformationMetadataMalwareConstructor (object-oriented programming)CodeSocial classFunktionalanalysisTable (information).NET FrameworkBitComputer animationJSON
21:45
Information securityDefault (computer science)OvalString (computer science)Parameter (computer programming)Fluid staticsFlagSocial classMIDIVisualBASICTable (information)FlagTouchscreenCASE <Informatik>MalwareCodeIntermediate languageMetadataBitInformationType theoryReal number.NET FrameworkSource codeJSON
22:24
Information securityView (database)StatisticsEmailCodeInformationSocial classDatabaseMetadataTable (information)Attribute grammarMetadataRelational databaseInformationRight angle
23:18
Social classInformation securityMetadataDatabaseTable (information)Attribute grammarObject (grammar)Equals signString (computer science)Boundary value problemStreaming mediaBinary fileInformation managementData compressionMetadataHash functionString (computer science)Streaming mediaMemory managementTable (information)Meta elementElectronic mailing listToken ring1 (number)Source codeJSON
24:20
Assembly languageProcess (computing)CoprocessorData typeSocial classComputer fileInformation securityTable (information)Subject indexingMetadataToken ringModule (mathematics)Logical constantAttribute grammarField (computer science)Event horizonCategory of beingSemantics (computer science)View (database)StatisticsString (computer science)Interface (computing)Memory managementStatisticsInformationMetadataData structureTable (information)Rule of inferenceString (computer science)Intermediate languageWeightAssembly languageSource codeJSON
25:04
Assembly languageDirectory serviceMachine code.NET FrameworkIntermediate languageCodeAssembly languageCartesian coordinate systemMalwareBitWeightFormal languageStructural loadStack (abstract data type)Compilation albumSampling (statistics)Surjective functionJSON
26:17
Information securityWeightAssembly languageMalwareSample (statistics)Uniform resource locatorType theoryBinary fileElement (mathematics)Hill differential equationComputer fileSampling (statistics)AuthorizationWeightHeegaard splittingMalwareAssembly languageMultiplicationBitOrder (biology)Computer animation
27:06
PermianType theoryFunction (mathematics)Module (mathematics)View (database)HookingCompilerMultiplicationMalwareMenu (computing)InjektivitätInformation securityWeightAssembly languageMetadataTable (information)Normal (geometry)Computer programmingLibrary (computing)Operator (mathematics)Endliche ModelltheorieMalwareInjektivitätMetadataFlow separationCASE <Informatik>Table (information)Computer animationSource codeJSON
27:42
Assembly languageInformation securityRevision controlMetadataModule (mathematics)Physical systemVisualBASICModul <Datentyp>Arc (geometry)Malware2 (number)Endliche ModelltheorieAssembly languageGreatest elementTouchscreenString (computer science)CASE <Informatik>Source code
28:22
MetadataAttribute grammarInformation securityOvalInstance (computer science)Assembly languageCompilerHash functionAlgorithmConstructor (object-oriented programming)Run time (program lifecycle phase)Service (economics)Reflection (mathematics)Computer-generated imageryLengthForm (programming)Module (mathematics)Electronic signatureAlgorithmTouchscreenAssembly languageAttribute grammarFlow separationComputer fileMalwareGreatest elementReal numberSource code
29:03
Information securityMalwareFunction (mathematics)CodeAssembly languageModule (mathematics)Computer programModulo (jargon)InjektivitätAlgorithmHash functionRevision controlFlagData typeRun time (program lifecycle phase)Physical systemConstructor (object-oriented programming)Sign (mathematics)Instance (computer science)OvalLengthAssembly languageGreatest elementProcedural programmingPublic-key cryptographySource codeJSON
29:41
Information securityLevel (video gaming)Library (computing)Assembly languageMalwarePhysical systemSample (statistics)Computer configurationSystem programmingPartial derivativeSystem administratorWindows RegistryInstallation artPublic-key cryptographyMalwareAssembly languageMachine codeAuthorizationCache (computing)Arithmetic meanSign (mathematics)Utility softwareCodeInstallation artYouTubeSource codeJSON
31:09
Assembly languageCompilerDirectory serviceVariable (mathematics)Integrated development environmentLibrary (computing)Computer programHash functionInformation securitySample (statistics)Hacker (term)MetadataProxy serverElectric currentModule (mathematics)SpacetimeIdentity managementString (computer science)CodeUnicodeSequenceEnumerated typeFlagConstructor (object-oriented programming)Instance (computer science)Field (computer science)Social classRun time (program lifecycle phase)Read-only memoryMalwareMathematical analysisFunction (mathematics)Pointer (computer programming)OvalProcedural programmingMultiplication signSingle-precision floating-point formatSlide ruleIntermediate languageSource codeJSON
31:48
FlagAssembly languageMechanism designElectronic signatureSocial classVirtual realityCodeImplementationLine (geometry)System callRevision controlInformation securityOvalInstance (computer science)Fluid staticsInterface (computing)String (computer science)Ring (mathematics)Function (mathematics)Extension (kinesiology)Hydraulic jumpSimilarity (geometry)Stack (abstract data type)Electric currentInheritance (object-oriented programming)AliasingFormal languageModule (mathematics)Computer-generated imageryRun time (program lifecycle phase)Constructor (object-oriented programming)Service (economics)CompilerVariable (mathematics)Client (computing)Field (computer science)Socket-SchnittstellePhysical systemStreaming mediaType theoryRead-only memoryBootingMalwareLine (geometry)Machine codeDifferent (Kate Ryan album)Constructor (object-oriented programming)CodeJSONSource code
32:32
Information securityClient (computing)Attribute grammarStatement (computer science)Constructor (object-oriented programming)Instance (computer science)OvalMachine codeService (economics)CompilerRun time (program lifecycle phase)Structural loadObject (grammar)Fluid staticsStack (abstract data type)Exception handlingOperator (mathematics)Stack (abstract data type)Instance (computer science)Structural loadGreatest elementFlow separationData managementCodeException handlingImplementationMachine codeSource codeJSON
33:24
SynchronizationOvalAriana TVInformation securityProcess (computing)Instance (computer science)Exception handlingStructural loadPhysical systemVisualBASICCompilerService (economics)Fluid staticsSystem callSpacetimeVirtual realityField (computer science)HookingInformationKeyboard shortcutRun time (program lifecycle phase)Data structureLine (geometry).NET FrameworkCodeMalwareHookingKeyboard shortcutOperator (mathematics)Declarative programmingCASE <Informatik>Event horizonKey (cryptography)Source code
34:13
Instance (computer science)OvalSurjective functionFluid staticsStructural loadEvent horizonInformation securityMachine codeWorld Wide Web ConsortiumFamilyVirtual realityParity (mathematics)Keyboard shortcutStack (abstract data type)Variable (mathematics)HookingRun time (program lifecycle phase)Constructor (object-oriented programming)Software testingFunction (mathematics)Pointer (computer programming)Parameter (computer programming)Equals signLoop (music)Generic programmingPhysical systemFunktionalanalysisMalware.NET FrameworkEvent horizonKey (cryptography)Constructor (object-oriented programming)Source codeJSON
34:56
Instance (computer science)Constructor (object-oriented programming)Information securityFluid staticsMathematical optimizationMachine codeOvalMIDIPhysical systemData modelText editorEuclidean vectorForm (programming)DebuggerFunction (mathematics)String (computer science)Game theoryLoop (music)Local ringComa BerenicesMalwareStructural loadException handlingEncryptionStack (abstract data type)Run time (program lifecycle phase)WeightCache (computing)Assembly languageFile viewerProcess (computing)Just-in-Time-CompilerCodeLibrary (computing)Plasma displayTask (computing)Execution unitEncryptionFunktionalanalysisLine (geometry)String (computer science)MalwareStructural load.NET FrameworkHookingProcedural programmingProcess (computing)Machine codeJust-in-Time-CompilerGreatest elementCompilerSource codeJSON
36:24
Information securitySmith chartWeightRun time (program lifecycle phase)Computer configurationKey (cryptography)Virtual machineComputer programService (economics)Task (computing)Scripting languageSoftware frameworkLibrary (computing)Directory serviceRobotCASE <Informatik>Cartesian coordinate systemSign (mathematics)BootingPublic-key cryptography.NET FrameworkDirectory serviceCodeAssembly languageTask (computing)Source codeJSON
37:59
MIDIComputer-generated imageryInformationElectronic signatureAssembly languageWeightCodeDirectory serviceWindows RegistryLocal ringGastropod shellMalwarePersonal digital assistantType theoryMaizeProcess (computing)Service (economics)Data managementPhysical systemTelecommunicationWebsitePoint (geometry)Assembly languageMachine code2 (number)CASE <Informatik>Just-in-Time-CompilerMalwareSource codeComputer animation
38:41
Domain nameCodeExtension (kinesiology)MalwareWeightCore dumpDirectory serviceInformation securityProcess (computing)Time domainPhysical systemDefault (computer science)Point (geometry)BootingHydraulic jumpSystem callAssembly languageOrder (biology)Extension (kinesiology)Source codeDisassemblerPoint (geometry)Core dumpPointer (computer programming)FunktionalanalysisBinary fileDomain namePhysical systemAssembly languageCASE <Informatik>Source codeJSON
39:33
MaizeInformation securityPhysical systemTime domainOpen setLevel (video gaming)Assembly languageProcess (computing)Module (mathematics)Visual systemRun time (program lifecycle phase)Data managementThread (computing)Exception handlingElectric currentVisualBASICString (computer science)Web serviceWindows FormsForm (programming)System callMalwareVisualization (computer graphics)Physical systemDomain nameForm (programming)Assembly languageException handlingSampling (statistics)Thread (computing)TrailGreatest elementSource code
40:21
Time domainComa BerenicesData modelCountingThread (computing)Single-precision floating-point formatInformation securityRun time (program lifecycle phase)Assembly languagePhysical systemState of matterComputer configurationInformationContext awarenessMultiplicationThread (computing)Address spaceJust-in-Time-CompilerSpeicherbereinigungTrailSource code
40:58
CodeJust-in-Time-CompilerAddress spacePointer (computer programming)Information securityString (computer science)Social classModule (mathematics)Price indexPhysical systemWindows FormsMIDIVisualBASICWeb serviceThread (computing)Electronic visual displayInformationData structureForm (programming)Euclidean vectorTable (information)International Date LineJust-in-Time-CompilerFunktionalanalysisAddress spaceAssembly languageCASE <Informatik>InformationSocial classMeta elementSource codeJSON
41:41
Information securityInstance (computer science)Physical systemForm (programming)Inheritance (object-oriented programming)Social classTable (information)Data structureInformationTotal S.A.Identity managementThread (computing)State of matterCountingData typeField (computer science)Boolean algebraFluid staticsContext awarenessHash functionRevision controlKey (cryptography)Social classInstance (computer science)Field (computer science)Data structureInformationTable (information)Type theoryRight angleHash functionSource codeJSON
42:28
Information securityInformationCore dumpSocial classModule (mathematics)Cartesian coordinate systemPhysical systemData structureSimilarity (geometry)Machine codeTable (information)Data typeWindows FormsMathematicsEquals signObject (grammar)Form (programming)Context awarenessAssembly languageAddress spaceAttribute grammarInheritance (object-oriented programming)Time domainLevel (video gaming)Coma BerenicesOperations researchInformationTable (information)Endliche ModelltheoriePreprocessorFunction (mathematics)Assembly languageInheritance (object-oriented programming)Domain nameBitSource codeJSON
43:10
Information securityAttribute grammarAssembly languageModule (mathematics)MetadataAddress spaceConvex hullHookingLattice (order)ComputerClient (computing)Form (programming)Keyboard shortcutType theoryJust-in-Time-CompilerMachine codeCodeCore dumpNumberTable (information)Token ringEncryptionPhysical systemEquals signConstructor (object-oriented programming)String (computer science)MetadataData structureTable (information)Social classInformationSource codeComputer animationJSON
43:48
Data structureInformationInformation securityModule (mathematics)Table (information)Client (computing)String (computer science)Total S.A.Social classInstance (computer science)Physical systemToken ringJust-in-Time-CompilerCodeData typeField (computer science)Formal languageMereologyInformationControl flowGreatest elementPoint (geometry)Field (computer science)Object (grammar)Source code
44:28
Information securityElectronic visual displayPhysical systemArray data structureCore dumpObject (grammar)Electric currentThread (computing)Element (mathematics)RankingData typeNumberInstance (computer science)Message passingEvent horizonTouchscreenInstant MessagingSynchronizationString (computer science)Table (information)Group actionComputer networkTrigonometryBoolean algebraField (computer science)Electronic mailing listDean numberChainMaxima and minimaResource allocationContext awarenessMemory managementSlide ruleStack (abstract data type)RootInformationForm (programming)VisualBASICProgrammable read-only memoryObject (grammar)CASE <Informatik>FunktionalanalysisData structureInformationMemory managementSlide ruleRootQueue (abstract data type)Source codeJSONTable
45:11
Queue (abstract data type)Object (grammar)Information securityInterface (computing)VisualBASICRun time (program lifecycle phase)Context awarenessPhysical systemData managementStatisticsForm (programming)HookingKeyboard shortcutComputer fontCountingSocial classTotal S.A.Windows FormsComa BerenicesWrapper (data mining)InformationThread (computing)Sample (statistics)DeadlockAddress spaceLengthString (computer science)Core dumpFreewareBlock (periodic table)SynchronizationPrice indexClient (computing)RecursionCausalityMemory managementMalwareBlock (periodic table)Thread (computing)Greatest elementInvariant (mathematics)Read-only memoryString (computer science)DeadlockSource codeJSON
45:49
Event horizonThread (computing)Physical systemInformation securityObject (grammar)Fluid staticsData typeField (computer science)SynchronizationInstance (computer science)Identity managementBoolean algebraInformationLatent heatStatisticsData storage deviceAddress spaceCountingFluxMemory managementSocial classKeyboard shortcutHookingSoftware testingCore dumpFunction (mathematics)MetadataModule (mathematics)Table (information)Resource allocationJust-in-Time-CompilerGreatest elementString (computer science)Memory managementHookingKeyboard shortcutSocial classJust-in-Time-CompilerSource codeJSON
46:31
Core dumpInformation securityPhysical systemRun time (program lifecycle phase)SynchronizationCellular automatonMenu (computing)WindowExecution unitMIDISystem callInformationString (computer science)Assembly languageIntermediate languageString (computer science)Trojanisches Pferd <Informatik>Read-only memoryPoint (geometry)InformationControl flowComputer virusTotal S.A.Source codeJSONComputer animation
47:15
Link (knot theory)WebsiteUniform resource locatorInformation securityRepeating decimalSample (statistics)ExplosionTotal S.A.Computer virusWebsiteUniform resource locatorDomain nameTheory of relativityFlow separationComputer animation
47:59
Hill differential equationDigital signalProcess (computing)Computer animation
Transcript: English(auto-generated)
00:00
Alright! I am really excited to introduce Alexandre again. He spoke in my track last year and did a bang up job. Last year was his first time speaking at any kind of big conference at all. Since then he's gone on quite the world tour, he went to China, he went to Hack in the Box, he spoke in Europe and now he's back here to speak again. Let's give
00:20
Alexandre a big round of applause. Have a good time my friend. Thank you so much. Yeah. Hello guys, good afternoon. Let's talk about dotnet malware reversing. Uh it's a pretty easy uh talk. I think so. Uh I'm a secret research. Uh here is our agenda about uh about my
00:52
presentation. Here uh you have my last presentations on confidence, Defcon China, Hack in the Box, Amsterdam and Defcon last year. I recommend you take some time to read it.
01:08
Uh in the last line uh you see my tool, my personal 3H2 uh malware virtual. Uh if you have some free time uh you you can test it. Okay let's start. Uh there are lots of
01:26
people here. Honestly once again I was expecting 10 out of 12 people. Uh because most malware analysts don't like uh dotnet malware. So uh uh basically malware analysts uh while
01:43
uh analyzing dotnet malware are concerned to unpack uh a binary from memory or uh find the the encryption routine in a dotnet malware or even to uh decrypt resources embedded in
02:01
this kind of malware. But according to my experience, dotnet uh dotnet malware is uh can be so challenging because uh sometimes advanced uh authors uh advanced malware authors try to
02:20
modify uh the dotnet malware, the application directly in the intermediate language. And uh I've been uh I've been checking and analyzing some errors in dotnet uh which try to attack the dotnet runtime. So uh it's recommended to learn a bit more uh on
02:48
intermediate language and uh some uh information about the metadata in dotnet runtime. Uh most of the time uh we find uh dotnet malware's uh around the world. And we have uh
03:12
base uh usually uh native code uh sorry uh native code. Uh native code uh uh dotnet uh uh managed code load uh uh native code on the memory. This is the common
03:28
scenario. But sometimes things can be worse. Uh sometimes things can be a bit more complicated. You see this is a real case uh that I faced uh some month ago. The
03:46
suspect uh receive NMA, click on the link, drop uh uh a first dropper. This dropper uh fetch uh first payload on the internet. This payload is composed by two pieces. One piece
04:08
is uh uh native code. The other piece is encrypt managed code. This uh uh uh first piece in native language in native code is inject in into another process in a remote
04:26
process. Once this code is injected uh this code load the first managed code equipped and load. This managed code fetch uh second stage from the internet. The second
04:45
stage is the real payload and the infection starts. So since uh things can be harder uh than uh than usual case. And I try to show in pictures here. Uh I don't need to show
05:08
again how to make injection. Injection is so easy. I try to show here in this slide. This slide is a kind of refresh about injections. Uh I I won't explain it because it's pretty
05:23
easy. But as I mentioned, things can be different. For example, I told you that usually I have uh uh managed code loading uh native code uh on the uh into the memory. But
05:44
sometimes sometimes things are the inverse. I have uh native code loading uh managed code into the memory. In this case for example, I have I use the CLR creation instance to get
06:00
uh interface name in the ICLR meta host. From this interface I use the get runtime to get another interface name in the ICLR runtime if. From this interface I use a new method named get interface to load the runtime. At for afterwards I use the execute
06:28
application to activate the domain. I start the runtime using the start method. And finally, I use the executing the full application domain to start the real application.
06:45
The real infection. The real payload. As you know, a dot net framework is composed by a runtime, CLR, and some libraries. Uh malware authors uh can write uh memories using
07:05
different languages uh such as uh C sharp, F sharp, uh VB dot net, and so on. Uh basically uh G source codes are compiled into a common language in uh infrastructure. And finally,
07:20
run by the CLR. Uh we we have several excellent tools to analyze dot net um mirrors. I try to list some of them here. I usually then, I try to list some of them uh daily in my daily job. Personally, I also use some uh additional tools that I try to
07:47
show you here in red. Uh these are great tools to analyze dot net mirrors and reverse some of them. Uh of course, uh you must know that most dot net most dot net
08:03
mirrors uh use some kind of packers or cryptos. So, we, I, I, I try to show you some of them here. Uh a petition that the last one VM protect 3 dot 40 uh was released I, I
08:22
believe one or uh 2 weeks ago. And now uh it includes uh dot net obfuscation. When you are uh working with dot net mirrors uh you should uh or you must try to remember that
08:42
most of them uh are using obfuscators. And obfuscators can. Obfuscate, uh obfuscating the control flow. These obfuscators try to rename methods, attributes, classes and so on. Some of them uh encode all of the strings of course. Uh try to encode and uh obfuscate
09:08
the cross reference. You know, it's so complicated to analyze this kind of uh code uh while you're using uh any kind of obfuscators. So, it's very important that you know about
09:22
that. When uh, when I'm analyzing a dot net mirror, you, you sure? You sure? You usually I see the same functions load the payloads. In this case, I try to show you in green here. Uh assembly dot load, assemble dot load file and method info dot invoke is
09:49
almost, almost, almost the same things. Uh uh it, most time it's uh we see a kind of reflection approach. And uh when you see uh a reflection approach, you, you, you see a
10:07
sequence similar to that. Uh I'm using load or load file followed by get type, get method and invoke the method. So, reflection is uh is so used uh during uh dot not,
10:23
dot net mirrors. So, uh it's a very common approach. Another approach, another possible, possible approach is using get assemble name plus get type, get method, invoke again. As
10:42
most mirrors uh have been using resources or uh these dot net mirrors try to hide uh some data or payload into resources. You see uh sequences like this one in pink. Uh find
11:02
resource, size of resources and so on. Sometimes uh you see uh other sequences like this one in orange. When uh malicious dot net assembly uh uh is trying to load some
11:22
external DLL. All of, all of these approach are based on uh trying to load something in runtime to evade your static analysis. Here I, I'm showing you uh first very basic
11:45
mirror. I open in DNS pi. We have the entry point. Uh uh we have the entry point. Uh there in green. I click on the entry point. I find a class named the parnable buffer
12:05
cache event source. Inside this class I see the main function and, and at the bottom I see our potential malicious function named target invocation exception. Follow this
12:25
function. I see that this, this very special function is trying to load uh an assembly. And this function are using a URL to load this assembly but in this case the web link comes
12:44
from several attributes. For example, I took one, the first one. Uh and I checked that this attribute is being set by gearing uh new assembly using get execute assembly here at
13:06
bottom. This function is trying to read uh resource. This resource is encrypted and when you decrypt the resource you see uh p, p is executable. So, this is, this is the
13:25
variable. So, uh each uh each of these uh variables are, are related to a resource that represent a possible or potential malicious native code. Here uh I'm showing the same
13:47
code but uh using intermediate language as, it's similar. You see the main function, the
14:00
end point. You see at right our function, our malicious function. We have a token, uh token is that number 0 6. And this talk uh works uh a kind of index inside uh metadata
14:21
table named member reference table there. And when uh when I try to uh follow it, I find uh our function here at bottom and more details are expanded. As you see, implementation flags are IL intermediate language and managed because I'm handling,
14:49
I'm managing code. This uh, this is uh manifest. A manifest in this case is a file that will, will wrap up everything. In this case, you can see, you can see the
15:02
assembly name, you can see several managed resource related to uh embedded resource and at bottom, you can see further information about this matter. As I mentioned before this
15:20
point, uh this malware is using reflection to load malicious contents at runtime. So, you can see here several calls to get execute assembly methods and several points in this intermediate language code. Sometimes you, you are facing um bit harder uh dotnet malware
15:52
uh and this malware uh brings some uh encrypted resource so you can. Use DNS spy or
16:03
other uh tool, drop this resource, decrypt it and using reflex, reflex is a kind of plug-in. You can add the original code and load the resource, the equipped resource to analyze
16:26
the malware. In this case, you must through remove, you must remove the old resource. References because the old reference are reference uh the equipped resource. So, in this case, you drop the resource, decrypt it, delete the original dotnet malware, load again and
16:49
that's it. You can analyze your dotnet malware uh using this uh this technique. Of course, it's always recommended to know a bit more uh intermediate language and uh
17:03
of course, metadata. I, I, I think that about 9% of case dotnet malware or dotnet malware
17:30
authors trying to insert some malicious code in our initializers or finializers. In this
17:41
case, for example, usually I try to check uh every uh class constructor, uh every to find or uh unpacker or decryptor or any kind of uh hooking code. It's very usual, for example, in the last few weeks, I've been seeing uh several dotnet malware trying to
18:06
compromise the JIT. Uh in this case, these uh these special malware, these special malware trying to uh hook this function compiler uh sorry, compile methods uh to compromise
18:24
the JIT. In this case, when the JIT uh generates the native code, uh this, this special malware can hide or uh encrypt user code in runtime. For example, in this case, I try
18:42
to see the class constructor. There, usually, I found uh I find some uh some hooking code. This hooking code try to compromise the compile methods and by uh using this trick uh the malware can or hide or encrypt the user code. It's a very clever technique. There
19:09
are other uh dotnet uh details here. Most dotnet malwares bring some very important uh
19:23
metadata. So, metadata basically are information about classes, attributes, members, usually uh usually you uh get very valuable in information from metadata. Uh a dotnet application, as you see, is composed by a managed decoder and a managed code. It's not so
19:46
hard to analyze this kind of code, but you need to uh have some uh uh some guidelines to do that. For example, a managed code is composed by a P header, of
20:02
course, CLR header, metadata, and intermediate language. In this case, I have the compiler here, uh I I have the managed uh models, I have the resource files that uh are compiled to uh final version uh composed by a manifest, a managed models, and a resource
20:26
file, uh and a resource file. In using pictures, you see that uh uh dotnet header is composed by P header, CLR header, CLR data, and natively code. And at the right side, you
20:48
can see the same picture, but in a detailed view. Metadata is very important because there uh I can find very uh valuable things and information. Metadata in this case is
21:05
composed by definition tables, reference tables, and manifest table. Uh there are several tables inside of these uh these classes. And you should remember that all the dotnet
21:21
malware infection try to use one of these tricks, or code manipulation inside the class constructor, or faf analyzer, uh try to load some ameliorating function, uh a
21:41
component. So, the tricks are the same, always the same. Here is a second case, a bit more complicated case. This is a real dotnet malware. I'm I'm showing here the intermediate language and the metadata information. As you see, you see the name, type
22:09
def reference table. You see the method name, in this case man, and the flags. In this case, I'm I'm using the IO desk uh to show this screen. As you see, the real manage code is
22:27
so small, less than 5%. Metadata is so important because as I told you, describes some
22:43
information about members, attributes, properties, classes, and so on. And this metadata uh is organized uh by using a kind of relational database. And it's so interesting because, you see, I have a table. Uh 1, 2, 3, 4, 5 slots. Each slot is
23:07
dedicated to a class. And each slot tell me with methods, with the methods, with the method, belong to this class. At right. Uh, this metadata are organized in, named
23:25
strings and classified in metadata, in metadata heaps and metadata tables. Metadata, uh, metadata heaps is so easy because they are, are only concern is about strings. So, a
23:46
six-name streams. We have uh hash US, uh, is related to user strings. And hash dash is a kind of uncompressed metadata streams. So, I, I believe that uh, these uh, two months are
24:07
the most important. When I talk about uh, metadata table, we have several tables. It's almost impossible to remember everyone, every table. You see, I list the, all the tables
24:24
here. And uh, since here works using a token. A token is a kind of structure composed by 4 bytes. The first byte determines the table. The remaining 3 bytes tell us the role
24:44
inside this table. Here I show you uh, some statistics information about metadata. And at bottom, I show some user strings that I commented about the name strings.
25:09
Intermediate language in dot net is a kind of uh, asthma language based on stack. So, you see several instructions. Uh, load something onto a stack or pop something from stack, from
25:26
stack. You see uh, uh, very usual application or two, named, named lg. And lg is uh, executable to compile, to compile uh, intermediate language code into a native code. It's so easy
25:43
to do that. But, in the last 3 years, I've seen several malware trying to attack the dot, the dot net framework. In this case, uh, this kind of uh, infection are a bit more
26:02
complicated. We have several uh, we have several uh, kinds of dot net members, but assemblies are classified in private assemblies and shared assemblies, of course. Uh, you
26:20
should remember that most malware samples uh, try to hide some malicious content and resource. Hide by encrypting or obfuscate something. Uh, some dot net malwares try to download uh, an external assembly from somewhere. And other uh, dot net malwares are based
26:49
on multiple files. In this case, it's a bit more complicated because these authors tried to compose the dot net assembly in uh, in a split over multiple files uh, to evade
27:04
the defenses. It's so easy to generate a multiple file dot net malware. For example, I show you here, uh, step by step. In this case, it's so easy, uh, I compile, for example, uh, hooking dot cs model. I compile injection dot cs. And using uh, uh, a main program named
27:28
defqon dot cs, I generate a library named uh, malware lib here. It's so easy to do that. Of course, this operation took several metadata tables, uh, but it, it's normal.
27:44
Here, uh, we have uh, real manifest about our second malware. You see, some native models being loaded at bottom. Some external reference to assemblies. And at this case,
28:04
in, sorry, in this case, our uh, our assembly is uh, strong assembly because uh, it uh, it is uh, uh, it's signed by a private uh, key from somewhere. The second screen here, you
28:27
see the driver, uh, the assembly name. You see several custom attributes. You see that uh, designer is using SAG, SAG1 algorithm. You see several managed resource being used. And uh,
28:53
at bottom, you see that the, uh, the real name of this malware is Mikrotik, real tech
29:01
driver dot cs. I show you here how to compile. Uh, final is decutable and uh, C sharp is pretty easy. If you have a key pair, you can sign, uh, this assembly by using this
29:26
procedure here at bottom. After signing this dot net assembly, you can see the public key there in red. During some infections, uh, I've seen uh, native, native uh, uh,
29:53
codes trying to copy uh, dot net assembly to GAC. GAC is global, means global assembly
30:02
cache. In this case, the author uh, was trying to execute the native code, copy the managed code to GAC because other pieces of this malware uh, would use uh, would use uh, the, the shared assembly in the GAC to continue the infection. It's a kind of second
30:29
stage. It's pretty easy to copy to that uh, because you can use GAC YouTube there in orange. Or you can use the MIC package to do that. Of course, uh, to copy anything to
30:49
GAC, you need to have uh, key pair to sign your dot net assembly. If you don't have one, you can use the, only the public key and trying to uh, delay signing. In, in this case, you
31:05
will uh, sign the dot net assembly, only use the public key. Uh, to do that, you can follow this procedure. You can add some resources by using slash, slash, slash, slash. You can add some references by using slash references, it's pretty easy. Of course, uh, I don't
31:29
have enough time here to show you uh, how to uh, uh, to explain every single instruction in intermediate language. So, I left some, some slides here showing it important
31:44
instruction in intermediate, in intermediate language. Uh, I don't have enough time to do that, unfortunately. And here, I show you a real, real malware. Uh, is the same malware, so
32:02
I try to comment several lines. Of course, you must know about C sharp, uh, to understand this code. Uh, here, we don't have anything different from our C sharp code, but uh, the names and, and the keywords are a bit different. You have uh, public uh, class,
32:26
you have a private class, you have a solid class, you have a constructor here, a C part, you have some private fields, we have uh, some stack reservation there, max stack. You have several operations, load things to stack and pop things from the stack.
32:48
You have custom, custom instance here at bottom. You have private class, you have uh, uh,
33:00
invocation of a native code in, in the middle here. You see, uh, invoke implementation here, trying to call uh, a managed code. You have here, at bottom, uh, an uh, an uh, local variable being initialized with zeros. We have a try, a try catch uh,
33:29
structure. So, it's so similar to uh, C sharp code. I try to comment several lines here, uh, to help you later. You have, for example here, heh, our, our dotnet malware
33:46
are interesting in get our uh, keystrokes. You see, uh, uh, in this case, malware is trying to hook uh, some uh, keyboard operations. Uh, as you see, uh, the dotnet malware is
34:05
trying to hook the keyed out event and key up event. So, uh, it's a kind of key logger. At bottom here, we have uh, some event declaration. Uh, in, in this case, our
34:24
dotnet malware is trying to subscribe some functions, uh, on, on this event. Uh, at bottom, key down, at up, uh, key, uh, key up. And finally, uh, our dotnet malware is
34:49
using aggregate, uh, uh, to invoke this event. So easy to do that. Several, uh, constructions
35:00
being called here. Oh, finally, I found the decryption function. This function is responsible for decrypting several strings from this malware. As you see, I try to comment
35:22
line by line or the most important line here. Uh, you can, you can try to monitor all DLLs load, uh, from the GEC by using first lock or even process monitor. But, uh, as
35:43
I told you, uh, some advanced malware is trying to compromise the dot, the dotnet framework. Uh, try to insert some hookings. Uh, even trying to compromise the JIT, so it is, uh, uh, just kind of more, are, more dangerous. Uh, here, at, at bottom, I show you the
36:06
complete procedure. For example, I can copy a DLL from GEC, modify, uh, recompile, uh, to the native code and copy back again to the GEC. It's so, it's so easy, pretty easy
36:23
to do that. Of course, uh, nothing is so simple to do that. I need to, I, I need to, uh, have, uh, sign it assembly. And, as I don't have the private key from the Microsoft,
36:43
it's so complicated to do that. Uh, other approach, it would be to, uh, re-sign all the dotnet framework, it's so hard to do that. I can try to, uh, co-op the, the modified DLL, uh, to GEC, but if, uh, some applications or services, uh, are using this, uh, DLL, it's
37:09
not possible. I can try to force a reboot to make this copy. And, even that I get to do that, I need to force, uh, my current applications using this modified DLL. So, in
37:28
this case, I need to uninstall any move, the native, uh, uh, code from the native directory. Case meet, uh, show a very, uh, interesting way to do that. Case meet, uh, uh,
37:45
show a very nice trick by, by copying, by dropping assembly to Geth path tasks, uh, dot DLL, to force, uh, applications using my modified DLL. I can try to, for example, I have, uh, I
38:03
have, uh, register, uh, composed by two entries. One entry, uh, is pointed to, uh, the assembly code. The other entry is point to the native code. In this case, I try to change the second entry to, uh, to point to my modified DLL is, uh, another approach here. Some, uh,
38:26
some dot net malware try to co-compromise services, try to, uh, introduce some hooking in Geth. Some DLL, uh, some dot net DLL try to load external assemblies. So, there are
38:41
several tricks. Of course, uh, I've been using win-the-back to analyze, uh, this kind of dot net malware, uh, using, uh, an extension like SLSX. And, uh, here, I show you, uh, complete approach. For example, here, here, I load the, the extension SLS, uh, uh,
39:04
SLS dot DLL. I found the native enterprise, uh, the, the, uh, the, uh, the, uh, managed in, in two points. I disassembled the entry point. I found the PE entry point there
39:21
by using dump bin. Uh, I try to display the pointer and finally, I find, uh, the core easy man, uh, function by disassembly. I can dump the domain. In this case, uh, I see the system domain. I see the shared domain. I see our domain that, uh, uh, from our
39:45
malware. I see several calls to external assemblies, visual base, sitting the, the allows, forms and so on. I list, uh, some manner exception. I can try to switch, uh, the
40:06
threat, for example. In this case, I switch to threat 0. I dump the managed stack trace here. I found our dot net, uh, mirror at bottom. I list some managed threats by using,
40:26
uh, managed threats here. As you see, you can see that threats, uh, threats 0, 2, 5, 10 and 14 are managed threats. All of them are managed by garbage collector. I list the
40:47
native, the native stack at bottom using key N. I pick up, uh, an entry there. I check that if this address belongs to the JIT code, yes, this case belongs. I pick up the,
41:09
metadescriptor reference. I disassemble it, so we have the disassembly, uh, uh, function here. I check the managed attack again. I pick up, uh, object address. I check it again,
41:26
if this address belongs to the JIT. Yes, again. I dump the metadescriptor information here. I pick up the class reference at top. I dump the, the ee class structure information. I
41:50
found the, I found that this specific class has 6 methods, 28 instance fields,
42:06
and 5 static fields. I can check one of these fields, for example, in this case, a value type fields by using dumpvc. I found a hash table class composed by several, uh, several
42:25
fields here at right. I dump the, the met table information. I dump the met table information again, but, uh, detail the output. As you see, several, uh, methods, some of
42:44
them prejitted, precompiled. I dump information about, uh, a specific model. I found the assembly reference. I dump the assembly, uh, information. I found the parent domain
43:01
information. I dump the domain information at bottom. It's pretty easy to do that, well, of course, here. Here is a bit more complicated. Uh, finally, I start again. I, I found the met table structure and, uh, ee structure here. I found some interesting, uh, classes,
43:25
uh, possible malicious classes. Possible malicious classes. I, I take one, testprint dot client. I dump some information from this class. As you see, there are several methods
43:44
there. I pick up one. I dump the class in, in, it's very interesting because there, I, I found some, uh, some, uh, fields in English, Portuguese and German language. I, I took
44:07
the German one to check the information. As you see, uh, this part, uh, wasn't executed by zit because at bottom is zit to the node. So, I tried to put, uh, break point to a
44:25
future execution. I dump again all, all of the stack objects. I saw, uh, uh, a function using, uh, an array. I dump this array. This array is composed by one element
44:44
that in this case is, uh, a structure as you see at bottom. I dump it, ok, that's, that's the same slide. I check the heap information. I check any kind of references
45:02
to these objects by using gc root. References from, uh, references from the stack, uh, from the handle tables. I check the finalize queue to find something interesting. I check the final handle because some errors, uh, cause strong heap fragmentation. I check
45:28
again a key, again, uh, some, some problems with locks and dead locks, locks and dead locks. I try to find a string inside the heap, the manage heap. At bottom I dump the,
45:47
the memory from memory. And finally, finally, I check the thread invariant block. I found some nice strings at bottom. Uh, I dump all of the heap. I found, I found, uh, some,
46:10
I, I, I found some, uh, classes. I took one keyboard hook and so nice. I dump
46:24
methods from this class. There are several methods. I took the last one. I took the try to disassemble it in, in intermediate, in intermediate language. Try to dump all the
46:43
strings from the memory related to this, uh, method. And it's nice. I found several ULLs related to banks. So, this is a kind of Trojan Banker. Uh, I, I, I, I, I, I, I
47:05
I'm leaving some breakpoints for, for you here. These, uh, are very nice breakpoints to test, to gather some additional information. And I test the, the ULL, uh, in virus total by
47:23
using overview. I can see that is a malicious site. And I test the domain and I found several related things, several malicious things, uh, associated to this domain. It was a very
47:41
long presentation, I know about that, if you want. I can, uh, I can explain details for you. Uh, say, thank you so much to the DefCon staff, as usual, for you, who reserved some time. And have a nice day. Thank you.