NDC Oslo 2012 - Hacking .Net Applications: The Black Arts
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 110 | |
| Author | ||
| License | CC Attribution - NonCommercial - ShareAlike 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this | |
| Identifiers | 10.5446/50954 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
00:00
Software developerSoftware developerCartesian coordinate systemMathematicsCycle (graph theory)Physical systemFormal languageBasis <Mathematik>Video game consoleHacker (term)Computer programmingMereologySpacetimeCore dumpComputer animation
01:13
Hill differential equationSoftware developerCodeStack (abstract data type)Macro (computer science)Abstract state machinesPower (physics)NeuroinformatikCartesian coordinate systemCategory of beingObject (grammar)Source codeHacker (term)Perspective (visual)SpacetimeSemiconductor memoryProcess (computing)Reverse engineeringAssembly languageComputer animation
02:17
Software developerSocial classPrinciple of maximum entropyThread (computing)Object (grammar)Line (geometry)Abstract state machinesOvalString (computer science)Context awarenessThread (computing)Cartesian coordinate systemSocial classSemiconductor memorySpacetimeRight angleDemosceneCurveComputer programmingSoftware developerLine (geometry)Metropolitan area networkCodeFunctional (mathematics)Level (video gaming)Table (information)outputAssembly languageInformationDreizehnComputer animation
04:04
Hill differential equationSoftware developerExecution unitInstallation artPrinciple of maximum entropyObject (grammar)Computer networkMiniDiscCodeComputer networkCartesian coordinate systemThread (computing)Assembly languageInformationMiniDiscSocial classComputer animation
04:59
MiniDiscPasswordString (computer science)Block (periodic table)Software developerInheritance (object-oriented programming)Computer iconMUDSource codeString (computer science)PasswordDifferent (Kate Ryan album)NamespaceCartesian coordinate systemValidity (statistics)Reading (process)SequenceHypermediaFunctional (mathematics)Branch (computer science)Partial derivativeGame controllerText editorCompilerPower (physics)LoginSet (mathematics)LengthComputer animation
06:33
FreewareState of matterSoftware developerCountingExecution unitFuzzy logicTerm (mathematics)EmulationAnnulus (mathematics)Source codeFunctional (mathematics)Exception handlingReading (process)Visualization (computer graphics)Right angleMathematics2 (number)Revision controlCrash (computing)Software developerSource codeComputer animation
08:04
Software developerRepeating decimalRWE DeaInclusion mapExecution unitSystem callPoint (geometry)Bit rateRight angleNumberVirtual machineElectronic signatureHacker (term)PasswordLink (knot theory)Revision controlGame theoryComputer configurationCodeSet (mathematics)Physical systemValidity (statistics)DialectKey (cryptography)Default (computer science)Medical imagingSign (mathematics)Directory serviceMessage passingComputer networkIdeal (ethics)Source codeGastropod shellHypermediaInequality (mathematics)Hash functionString (computer science)Game controllerSocial classInheritance (object-oriented programming)Standard deviationInformationAreaPairwise comparisonLine (geometry)Object (grammar)Computer architectureBitWindowNeuroinformatikPersonal identification numberCore dumpEqualiser (mathematics)Branch (computer science)Compilation albumDifferent (Kate Ryan album)Cache (computing)Token ringDrop (liquid)Computer animation
12:24
Software developerCodeGUI widgetAsynchronous Transfer ModeGodMathematical singularityNumberMedical imagingCache (computing)Matrix (mathematics)Formal languageDifferent (Kate Ryan album)PasswordType theoryLine (geometry)Multiplication signoutputEntire functionFunctional (mathematics)Boolean algebraComputer animation
13:51
Natural languageMatrix (mathematics)CodeSoftware developerEmailTelecommunicationService (economics)Structural loadFluid staticsOvalMenu (computing)Formal languageoutputMatrix (mathematics)Different (Kate Ryan album)Cartesian coordinate systemObservational studyAntivirus softwareOffice suiteMalwareRight angleComputer animationTableSource code
14:58
Software developerGamma functionStructural loadComputer virusCodeSoftware developerMultiplication signForm (programming)Cartesian coordinate systemRevision controlMereologySymbol tableOffice suiteGreatest elementSocial classMalwareComputer animation
16:46
Software developerNewton's law of universal gravitationMaxima and minimaWeb pageMenu (computing)Raw image formatIndian Remote SensingOffice suiteCartesian coordinate systemWorkstation <Musikinstrument>CodeMultiplication signSource codeMalwareString (computer science)Data storage deviceReverse engineeringMetadataTrailObject (grammar)Computer wormAntivirus softwareTask (computing)Mechanism designSystem callMaxima and minimaComputer programming40 (number)Server (computing)DatabaseInformation retrievalCore dumpSequelSource codeComputer animation
19:28
Software developerComputer networkMobile appProcess (computing)ForceSystem callMiniDiscComputer wormCartesian coordinate systemStructural loadSequenceDrop (liquid)Sign (mathematics)InjektivitätMoment (mathematics)Semiconductor memoryEncryptionAsynchronous Transfer ModeComputer fileForcing (mathematics)GodFile formatComputer programmingBackupFlow separationBitSoftwareStandard deviationComputer animation
20:57
Software developerForcing (mathematics)Demo (music)CodeComputer wormBootstrap aggregatingInjektivitätPoint (geometry)BitBasis <Mathematik>Thread (computing)Software developerProcess (computing)Structural loadGraphical user interfaceMilitary baseDrop (liquid)Computer programmingHacker (term)Computer animation
23:44
Software developerMenu (computing)Electronic data interchangeEmulationProcess (computing)CryptographyCartesian coordinate systemDifferent (Kate Ryan album)Library (computing)Hash functionType theoryForcing (mathematics)LogicValidity (statistics)PasswordComputer wormTrans-European NetworksData compressionComputer programmingDrop (liquid)Demo (music)Structural loadCombinational logicMereologyObject (grammar)Graph coloringPoint (geometry)SpacetimeSingle-precision floating-point formatConnected spaceWindowEntire functionData structureCodeLine (geometry)2 (number)String (computer science)Computer networkReal numberRandomizationAlgorithmShared memoryThread (computing)Core dumpSource codeBitTrailDrag (physics)VotingRight angleGoodness of fitFunctional (mathematics)SequelWebsiteMultiplication signGroup actionMathematicsComputer animation
29:58
ForceIcosahedronSoftware developerLogicString (computer science)Game controllerPower (physics)Core dumpVulnerability (computing)Computer programmingQuicksortSequelGroup actionNP-hardString (computer science)Level (video gaming)Cartesian coordinate systemMessage passingLogicSequencePasswordInjektivitätLattice (order)Computer animation
31:32
Software developerHecke operatorOvalMenu (computing)Boltzmann equationChi-squared distributionExecution unitString (computer science)Message passingPasswordNatural languageACIDCartesian coordinate systemMiniDiscComputer fileData structureCuboidAreaOffice suiteDrag (physics)Drop (liquid)PasswordStack (abstract data type)Validity (statistics)Functional (mathematics)Social classSource codeSystem callSequenceType theoryRevision controlCodeComputer programmingStructural loadPhysical systemBackupResultantString (computer science)Variable (mathematics)Computer wormWindowSet (mathematics)Computer networkRippingEncryptionMessage passingoutputWikiHash functionInformation retrievalSoftwareServer (computing)Order (biology)Point (geometry)40 (number)PlastikkarteInformation securityLine (geometry)Logic gateSemiconductor memoryState of matterPlanningFundamental theorem of algebraForm (programming)Open setPublic-key cryptographyElectronic signatureCryptographyLogicComputer animation
39:03
MathematicsKey (cryptography)System callServer (computing)Design of experimentsCodeComplex (psychology)Data storage devicePasswordCryptographyVector spaceEncryptionInformation securityMiniDiscLogicGastropod shellServer (computing)Physical systemInformation securityKey (cryptography)Cartesian coordinate systemCryptographyVector spaceSystem callImage registrationStructural loadDifferent (Kate Ryan album)QuicksortSymbol tableGastropod shellProgrammschleifeVulnerability (computing)Computer programmingMathematicsForcing (mathematics)InformationCodeLogicSequenceValidity (statistics)CubeGoodness of fitAlgorithmWindows RegistryLevel (video gaming)PasswordPoint (geometry)Public-key cryptographyLibrary (computing)Mechanism designDatabaseElectric generatorDemo (music)Functional (mathematics)Binary codeComputing platformSoftware protection dongleFormal languageSingle-precision floating-point formatRight angleProduct (business)Programmer (hardware)Multiplication signOffice suiteSign (mathematics)Compilation albumTheoryComputer animation
43:33
TwitterSoftware protection dongleSoftware developerMessage passingPasswordCartesian coordinate systemOffice suiteStructural loadCodeCryptographySemiconductor memoryMiniDiscSource codeObject (grammar)Process (computing)SpacetimeWrapper (data mining)AreaComputer networkFormal languageComputer animation
45:25
Software developerCuboidFlagMiniDiscException handlingLogicOffice suiteSource codeCartesian coordinate systemCuboidVisualization (computer graphics)CodeCategory of beingData miningComputer wormPhysical systemSequenceVirtual machine2 (number)Right angleVulnerability (computing)Form (programming)Object (grammar)Power (physics)Compilation albumDifferent (Kate Ryan album)File formatPoint (geometry)Computer animation
48:49
MiniDiscSoftware developerInstallation artBitComputer animation
49:42
Software developerMiniDiscSoftware testingCartesian coordinate systemWave packetUnit testingVulnerability (computing)Execution unitProgramming paradigmInformation securityComputer architectureComputer animation
50:43
Software developerRadio-frequency identificationUnit testingInformation securityScaling (geometry)Computer networkProgramming paradigmSoftware testingQuicksortRandomizationNP-hardGoodness of fitVideoconferencingDigitizingFreewareDemo (music)Speech synthesisStudent's t-testComputer animation
52:11
Software developerGastropod shellEncryptionMiniDiscSpeech synthesisDemo (music)Formal languageMatrix (mathematics)CodePhysical systemData managementInformation securityArithmetic meanTraffic reportingPatch (Unix)Online helpIntegrated development environmentComputer architectureIncidence algebraCryptographyComputer programmingSubsetComputer wormReverse engineeringWritingPasswordOffice suiteMathematicsRevision controlVulnerability (computing)Gastropod shellCartesian coordinate systemPower (physics)Video gameCycle (graph theory)Validity (statistics)AuthorizationDifferent (Kate Ryan album)Goodness of fitKey (cryptography)MalwareCuboidSoftware bugComputer animation
55:14
Information securityCAN busSoftware developerCartesian coordinate systemVisualization (computer graphics)Integrated development environmentRevision controlCodeProduct (business)Multiplication signQuicksortSoftware developerStability theoryFunctional (mathematics)Computer architectureSingle-precision floating-point formatDifferent (Kate Ryan album)Social classLevel (video gaming)Constructor (object-oriented programming)RootReflection (mathematics)Information securityPower (physics)Line (geometry)Drop (liquid)Boss CorporationBus (computing)Axiom of choiceCommunications protocolRoutingCoroutineComputer animation
57:52
Software protection dongleTwitterOpen sourceSource codeMultiplication signCartesian coordinate systemVisualization (computer graphics)Form (programming)Physical systemFreeware1 (number)Game theoryCodePlanningRevision controlCore dumpComputer animation
58:53
Demo (music)CodeMatrix (mathematics)Software developerKey (cryptography)CuboidVisualization (computer graphics)Information securitySource codeCodeMalwareServer (computing)Group actionDatabaseIntegrated development environmentSoftware developerKey (cryptography)Right angleThread (computing)Mobile appClient (computing)Core dumpContext awarenessVulnerability (computing)Revision control1 (number)Multiplication signVirtual machineInternetworkingSequelComputer animation
01:00:56
Visual systemPower (physics)Numbering schemeSoftware crackingVirtual realitySoftware developerInfinite conjugacy class propertyInformation securityCryptographyVisualization (computer graphics)Cartesian coordinate systemPhysical systemCore dumpIntegrated development environmentProxy serverNumbering schemeFile formatPasswordGoodness of fitPatch (Unix)NeuroinformatikHacker (term)State of matterProduct (business)Computer programmingHard disk driveInformation securitySoftware developerDifferent (Kate Ryan album)CryptographyShift operatorProgramming paradigmInformationFundamental theorem of algebra.NET FrameworkTurbo-CodeOpen sourceRule of inferencePattern languageConfiguration spaceDirectory serviceBuildingCategory of beingProjective planeCuboidQuicksortEndliche ModelltheorieKey (cryptography)Process (computing)Firewall (computing)HexagonVirtualizationSign (mathematics)Type theoryMedical imagingComputer networkDrop (liquid)Set (mathematics)Graph coloringMalwareText editorSoftware crackingMetadataCache (computing)Computer animation
01:05:57
Software developerLeakInformationImage registrationPhysical systemInformation securityMountain passHash functionNumberCryptographyCryptographyCartesian coordinate systemVulnerability (computing)Multiplication signDrop (liquid)Right anglePatch (Unix)Standard deviationAxiom of choiceFitness functionFirewall (computing)CuboidEnterprise architectureGame controllerComputer animation
01:07:30
Software developerInformationDigital libraryRight angleMultiplication signMechanism designMedical imagingMoving averageCryptosystemInformation securitySign (mathematics)Windows RegistryComputing platformAxiom of choiceValidity (statistics)CuboidStack (abstract data type)Source codeComputer animation
01:08:57
Software developerComputer animation
Transcript: English(auto-generated)
00:01
This is my target audience. Someone that wants to just modify an application. They want to make core changes to it and this kid was arrested for modifying his gaming console. And there's attackers that just want to cause direct damage and they want to be the best of the worst. That's my target audience. Because when it comes to just attacking someone or defending yourself from an attacker
00:24
that's kind of the space that I'm living in. And there's the outside developer that just wants to change the system. They want to bend and re-architect the way that we view the world. There's people that are blind or deaf and they need a one-off solution. They need the ability to access a program that was not made accessible. And
00:44
we as developers can use this technology to force it to be accessible. Or like this guy, he's French. And so a lot of the applications aren't accessible in his language. We can simply go and force an application into any language we can conceive of. And there's just the part of our sector that's just a one-off solution will open up the world. And that's kind of what
01:05
I'm hoping that you guys will be able to see in this technology beyond just the hacking. But what we can actually do on a daily basis in our development cycle. An application. It's filled with intellectual property. It has the object and source codes that we all deal with.
01:21
It has a locks inside of it that restrict access and the power of that application itself. And that's what I'm looking at attacking. That application that sits on your desktop that you use day in day out. It guards your data while you walk away from your desk. It gives you access to the world that you consider to be your computer.
01:41
To give you a historical perspective on the hacking space, this is IDA Pro. It does assembly code modifications of your target. It lets you look at registers and memory. This is how you did hacking back in the day. In the 90s or even today, this is how you do reverse engineering. You spin up IDA Pro and you look at the registers inside of your target process.
02:03
And the assembly code rocks. It's powerful. We still use it underneath every single thing we do today. And IDA Pro was good. It was a solid tool. It really worked in the day. And it was shiny, fancy, and it was effective. But it was effective in a certain context. It went up against applications that were using 8-bit graphics and had
02:24
relatively small footprints. And it had one thread. It had nine classes, nine objects, and under five kilobytes of memory. And that was a space I grew up in. And it was highly effective against that. And that, as a tool, worked. It worked then. It works now.
02:41
It's just, IDA Pro was a tool back in the day. We don't consider the newest and latest and greatest, but this is still what the community is using. On comes the scene of .NET, right? And now we're talking about programs that are highly complex. For no apparent reason, they're just on an exponential curve where we're talking about how many man-years of development does this application take.
03:05
And here's what we're looking at. 13 lines of code. This is an extremely simple function. It takes two things, it compares them, and then returns whether they were the same. There's almost nothing to this. It's 13 lines of input. When you decompile it, it turns into 15 lines of C sharp. It turns into 34 lines of IL and 77 lines of assembly code. And
03:26
that's where we're looking. When we're talking about attacking with that IDA Pro, how much code do you need to read through, right? This 15 lines, this is what it looks like. Here's the 34 lines of IL. And so you can see there's definitely an increase in how much you have to read through to
03:40
get the same information, right? And here's the 77 lines of assembly code. And this is why it turns from a 15 second, okay, this is what this function does, into a six-hour painful just grinding through. And that old day of attacking in that small application is just gone. You need to bring something new to the table.
04:00
And attack it in a more direct and vicious way at this higher level. That's why we're not using IDA Pro. That's why I'm talking about .NET, not C++ and assembly code applications. Because this is what happens when you use IDA Pro to go against .NET. It's just going to be painful and you're going to want to kill yourself. Literally. So why? This is it. This is what an application is starting to look like nowadays.
04:22
We're talking about 15 threads, and they're all over the place, 90 classes, over 9,000 objects, and over 3 gigs of RAM. And you're using a microscope to look at it. You're looking on one single thread and you're going through iterative calls over and over again to get that same information that we deal with every day in .NET.
04:42
And this is what you should be bringing. You should just attack it directly in an undeniable fashion. And here it is. Here's an attack on disk using a tool that I wrote called Gray Wolf. It goes up on disk, it finds your application, it modifies it, and hopefully round trips rather rapidly.
05:00
And let's look at this. Attacking on disk, Microsoft Media Center, something off the shelf that you all can play with at home. Here's its password validation for its parental controls. It takes in a string. It then takes in the known string that's stored, the correct password. It checks to see that the correct password is not equal to null, that its length is greater than zero.
05:24
And then it checks to see if the set password starts with a colon. Because if it does, it's going to do something different. If it doesn't, it's going to execute the normal path that we consider. So to think about this, there's actually a branch inside a login sequence that we're never privy to. If you are, it can open up different paths.
05:42
And this is the password validation. This is pretty much the same password validation you're going to see in a lot of applications. And that's why this is kind of just a nice, ubiquitous, let's look at it. Here's Gray Wolf. You open up Gray Wolf, and it's not so much a decompiler as it is a straight editor.
06:01
This is the PowerShell DLL that sits in your, not PowerShell, Media Center, sorry. And this is EH shell. It's packaged as a DLL for some reason. And you can tunnel down, and here's namespaces, properly named. And we can go down to here, here, and we can just click into a function and return source code.
06:26
And so on this side is source code, and this is IL. And I'll get to IL a little later. But this is your source code. And that's what all of these functions have in them. And we can just return source code and read through their source code.
06:41
And I'm trying to give a similar experience to Visual Studios, except you're opening a compiled DLL executable. You can come through and say, this function, it's public. Let's see, let's find a, I'm looking for a private.
07:01
Okay, here's a private, right? So why would this be private? Well, I don't know. But come in here, change it over to public, and it's like, okay, public. Come down here, click Save. I'm using a newer version than what I was using yesterday. Oh, no. Yeah, there we go. Okay, my bad.
07:25
I'm in rapid development, to say the least, right? So come in here, do the same thing without crashing. Let's see, here's a private. Private off, public on, Save.
07:44
That's embarrassing. Okay. Let's see, I think this might be older, old enough anyways.
08:04
Okay, so hopefully I'll get that running in a second. You're able to edit DLLs and executables in this manner. Here is this media center, we're going to go into this class.
08:23
Media center options, parental control pin check. Media center check pin. So that code that I showed you a second ago,
08:41
where this is their password validation, this is the IL that links to this. This is what we're looking at. We're looking at the actual IL. Of course, we're not looking at source code, right? So at this point, we're able to come in here and read through the IL. Hopefully, this will get to a point where you can edit straight source code, but for now, it works against IL.
09:00
You can come in and find something in IL that you want to affect, such as this double equals or this equals here. We can come in, this is a branch on true, flip this branch on true to branch on false, and it becomes a not equals. And we can go through their program and add that all the way through.
09:21
Here's a equals comparison, which is done with a op equals. Retarget that call to a different class, and it's MS core lib, system, string, inequality, and then that will execute an inequality on it.
09:42
And so that password validation that we did where it passes in a string and then compares it, only incorrect values will fail or pass. Correct values will fail. Okay, here we go. Now we can save. So we click save, and in this directory, we're able to quickly generate a modified DLL.
10:03
And to point out that Microsoft Media Center is strong name signed. And in that strong name signing, you have 1024-bit crypto, all that. You guys probably know strong name signing. However, Microsoft has left it off by default to check it. So it will validate, do you have a strong name and is it correct?
10:23
That's it. They're not going to check the hash value of your DLLs. So you can change the DLL and it won't hash anymore. It won't be a valid signature, but when someone checks your key, it will be a valid key. It will allow you to load. You can go into the registry and turn that off. So let's look at that real quick.
10:43
So we've modified this, right? And this is where we're going into a little more technically specific information. You come into Windows, Assembly, and here's your GACs. This is where everything that is in your computer is cached in .NET. Well, there's like four GACs, but this is one of the GACs.
11:02
And it's broken up into subsections, the different compilation options, MSIL 64-bit, standard GAC, your native images where you have native image compilation. And then this is where Media Center lives. It lives in MSIL, E-Shell. So MSIL, because that's the compilation option,
11:23
E-Shell, and then this is the version number, and then it's a strong key token. And then here's E-Shell. And so you come and replace with the hacked version, and that supplies us with our attack. You're able to drop this in here, and let's go for that.
11:42
Take this, drop this in here, rename it to the original. And so now we have replaced this. Up here, we also have .NET 2064-bit E-Shell
12:01
in the native area. And so now, in your system, you'll see a native image, eshell.ni.dll here, and you come and delete that. That's your native image caching. So when you run it, a native image compiles it down to your machine architecture, and then it runs. So Media Center.
12:23
And so here's Media Center. It takes a little longer to boot, because it's not using native image caching. And we can come into settings, and hopefully that attack will... So I can put in whatever number I want.
12:40
Let's see, I'm going to grab... I'm going to find a way to get a real quick attack. I dropped one of my...
13:02
I normally show you the password, so you can see that I'm typing in different passwords. If I have extra time at the end, I'll show it that it was actually the incorrect password, and I can type in X number of incorrect passwords. Sorry about that. You can put return true at the top.
13:20
So in this attack, here's this... It returns a boolean. We simply come to the top. We add two lines of noops. And we can add a push one onto the stack, and then a return. And then that turns the entire function into a giant return true.
13:41
And save that out. And so you can quickly come and not so much worry about what your target's doing, but just make that change and subvert that functionality. And this is IL. This is kind of the matrix that we live in. We're dealing in C sharp and VB.net and all these different languages, F sharp. And this is what's really underneath it.
14:01
All of it's IL. And so you don't have to worry about the input language. You can go from any input language to IL, and IL theoretically to most of the input languages. And so what does this get us? Like, yeah, we can attack applications, but here's something called antivirus.exe. It's a piece of probably malware.
14:21
You tunnel down to the main on it by clicking find main. And then you can see what it does. And it's like, oh, you don't have maf-tox antivirus. And it's just some off the shelf piece of malware, right? And it's obfuscated. And we typically use obfuscation to defend our desktop applications.
14:42
This happens to be malware defending itself with that same thing. Right? And so we'll target that malware and import it and remove the office.
15:02
I was doing some last minute code development like you should never do before a demo. So we'll import that again. And this fires, that should have fired de-obfuscation, I'm sorry.
15:30
OK, I'm really, OK, it's question time. I'm burning to see what kind of questions might come out of this.
15:44
Have any of you done stuff like this before? Do you think any of you would do stuff like this in general? I mean, quickly being able to open and edit someone else's application. So part of being able to edit someone else's application
16:02
is you can use it for good or bad purposes. And when you're going up against malware and attacking it. And so here's an older version where it does do de-obfuscation. And now those symbols that were hard to read are a little easier to read. And now to compare it, this is what it looks like now.
16:23
Application enable visual styles that we're all used to at the beginning versus the obfuscation. OK, oh, it did partial de-obfuscation. OK, so like here, down at the bottom, it's class 47, form 0, run. And here it's SPA and this.
16:44
And maybe I have one without the, I'll just drag and drop one real quick. OK, find main. And so here's that code. This is what it looks like natively before any de-obfuscation.
17:01
And here's what it looks like with de-obfuscation. And so this is what starts saving you time when you're going up against protected applications. That you can start, this is protected by off-the-shelf obfuscation. And so I can use community-driven off-the-shelf de-obfuscation. Anything you can do programmatically, I can undo programmatically.
17:21
Anything you can do by hand, I can undo by hand. And it's basically one of those, if you're buying a $40 tool, it's going to take me a 20-minute tool to undo it. So it's kind of that whole ROI for all that. But you'll notice here that I'm returning names. Like this is frmonstart antivirus.
17:43
Like it destroyed all the names, but I'm retrieving names. And where are they coming from, right? Like these are well-named objects. It turns out that no matter what you do, Microsoft stores a lot of the metadata. And so some of it will be lost, like method 5. And some of it will be retained, because it's a tool strip
18:01
and it retained that metadata. And we can start constructing some of the good names through all of the obfuscation, through your destruction of the names, we can retrieve them. So there's metadata laying all around your program that you wouldn't normally think of. And then someone like me shows you a tool and it's like, here you go, here's your source code. It can still be edited.
18:22
So here's this string. We come over here to the string and we can just edit it. And then we can save it out. And so now when you talk about like this piece of malware,
18:40
we can go and edit that piece of malware, we can re-point it to a different server, we can put a phone home mechanism and track it, we can subvert it and use it ourselves, we can dissect it and say what it does and does not do. And when you're talking back to that IDA Pro, that is a hardcore task. To reverse engineer this malware, this malware is 983 kilobytes.
19:01
In the malware world, that's large, that's huge. And we're talking about people that are used to going up against 5 kilobyte payloads at the max. And they're spending weeks to dig through it. We're spending minutes to dig through it, to subvert it, turn it around and attack the attacker. Or commonly you'll find their SQL string and you'll go to their database, retrieve their database and wipe it.
19:22
The same thing an attacker would come and do to your company, you can do it to anyone else. It's just, is it morally or ethically legal? That's your call. And that's where I come in. I just build tools. I facilitate you in doing what you want to do better. Here's an application. I showed you attacking on disk. I want to show you attacking an application while it's running.
19:42
It's in memory, it's loaded, we inject into it while it's running. And this is the sequence. You have a disk, you launch an executable, it's signed. It loads all of its signed DLLs. They go through the Microsoft security systems and then it becomes a process. And at that moment, whenever you are there, you inject
20:01
and you drop in your payload. And that's basically injection. It's typically used in the classical sense to modify applications. And that's what we can do. We can modify applications or I'm trying to pitch you more on kind of a god mode API.
20:20
So let's look at a brute forcer. This is a program that backs up your files into an encrypted format and packs them. This is another program that backs up your files and encrypts them and packs them. So it's a standard piece of backup software, two of them. One of them 64-bit, one of them 32-bit. I'm going to inject into one of them. I'm going to drop in a payload.
20:42
This payload will brute force. I'm going to inject into the other one and I'm going to drop in the exact same payload on both 32-bit and 64-bit on two separate applications. And brute force both of them with the same payload. That's why I'm talking about kind of an API but god mode API.
21:01
Here is program A. This is gray dragon injection. It injects in, it says, okay, this is 64-bit. I'm going to use a 64-bit payload. It spins up an MSIL bootstrap and this bootstrap will then load any void main executable you feed it. So you don't need to adhere to some clever anything.
21:22
You just give it any void main executable. I will start it up in its own secure thread. I'll put it so it can start up its own independent GUI and you don't have to worry about threading, crashing, all of that stuff. I'll take care of all of that. And so at this point, we can spin up the brute force that I told you about, right?
21:42
So here's the brute force. You can drag and drop it and load it up and here's the brute force. Sure. But first, let's look at what you can do beyond just brute forcing. Kind of that API, right? So...
22:03
Okay. I think I injected into the wrong process. I don't think that was my bad. Maybe. Okay. Normally, I'm bulletproof on my demos.
22:23
Like... Okay, so gray dragon locks on, injects me in and hopefully, this should work bulletproof. Okay. I'll try the other one real quick to see what the error is. So that first one was 64-bit.
22:42
I'll inject into this one and we have another bootstrap inside of this bootstrap. I'll load the same payload to test it out. Okay, maybe it's my bad with the payload. That's probably it. Okay, now I know what the problem is.
23:02
I'm using newer payloads that I was just developing again. Okay. Like I said, I'm a hacker. I'll do bad things like demos with brand new code bases. And... I happen to have all of my old versions
23:21
because like a good developer, I version. So here we go. We'll drop this in here. Load that up. Let's clean up all of this.
23:40
Open up. Open up this. I owe you guys something for giving such shitty demos. If any of you have any questions why I'm spinning through this demo like six times, hopefully it'll be fairly impressive.
24:02
Okay. Inject into it with the old injection system that I wasn't editing and we'll drop in payloads that I also wasn't editing. And... So... Okay, so here's buttons. I added buttons to a random application, like... You guys want to clap? That took me a little while.
24:22
And these buttons work. I can iterate all of the strings and just lead them. I can iterate the entire program at this point and lead them. I can walk the entire object structure and find all of your secure strings and retrieve all of them. I can find any SQL connection and change it and replace it with my own. I can modify... So like I can't click on this OK button.
24:42
I can enable it and now I can. And this is where you can quickly just jump into any application. This is not dependent on this application whatsoever. I can take this button and drag it around. I can right-click and open this editing window and now I can say I want the color to be different.
25:00
I can edit any part of the application that I can conceive of. But like I said, we're going for the brute forcing. Drag and drop the brute force into this bootloader, load it up. So here's the brute force. It comes into this process. It finds the hash value for your password out of it because it's storing your password hash to validate for the crypto.
25:24
Here it is, here's your password hash stored inside of your application. And then I use the logic of the application to validate whether that password is right or wrong. And then I just start brute forcing. And I'm like, OK, I'll just try every possible combination. I'll fly through tens of thousands of checks a second with your own logic
25:41
and return the outcome. And when I find a successful return, I'll say that's your password. And here it is, your password is one through seven. And I can brute force with your own logic. And then I'm like, OK, I have your password, why don't I auto-type it into your program? And here it is, I can just auto-type it into the program.
26:03
And that's it, that's the real password for this compressed. So you can grab the hash, use the logic and not have to worry about coding any of it from the ground up. You can find string called hash, find logic called checked password and connect them on most applications that aren't obfuscated. And it's a pretty fast round trip.
26:23
So like I said, we're going to check this against two different applications. Here's another one that I'm also packing. I'll lock on to it. This is a 32-bit application, so the last one was 64-bit. Inject into it again, hopefully with the good stuff.
26:42
The same thing, drag and drop, I can add buttons, which is all fine and dandy. I can do the same brute force password, load it up and here's the hash out of this application. It is a completely different hashing algorithm type. It has a completely password validation difference. The first one was MD5.
27:01
This is SHA-256, MD5 and then a homemade hashing algorithm all chained together. And so this takes a lot longer. And the last one is doing tens of thousands of checks a second. This one is doing tens of checks a second. And so that will just crank through and eventually find the right password.
27:20
While that's going, let me inject another. I'll just drag and drop some random application that I've written into this process. Oh, I found it. It was 1234. It automatically types it in and that gives us our brute forcing. And so that's nice.
27:42
That's what I said it did, right? Oh, OK, so I'm injecting another executable in here. This is just something I wrote that has nothing to do with anything. You can take these as just generic applications. And so I'm injecting, what, three executables together at this point. And I can inject four executables together at this point.
28:01
And so now I have four executables, including all of my payloads, including this attack button, all loaded into the same process. These are all one application. All of these with the buttons are one single process space. And as you know, with process space, you can share objects in a process space, right? So I can do something like, let's see, take this button here and remove it.
28:23
Come over here and place it. So you can move objects between different executables and use them like they were all meant to be there, right? And you can click here and it's like, oh, it still works. Like, it's still connected to all of the logic. It's in the same process. I basically just move the button over and there it is.
28:41
And this payload that I wrote is just a few lines of code. This payload I wrote is on my website. You can open up the payload and read the source code, see how I did it. You can take any object from any process that's .NET, inject it into any process that's .NET and share it. GUIs, logic, core values, you can just bend most anything.
29:02
And it has some bugs, but for the most part, it's really rather stable because I'm handling all of the threading. You can take, say, all of these buttons and then put them over here. And so you can start making Frankenstein applications.
29:22
And it's stable. All these buttons still function as they originally did. And so here's the start button. I'll come and put it over here. I missed a little bit. I'll take the stop button. I'll come and put it over here.
29:40
And it still stops. So start here, stop here. And so you can Frankenstein real quick. No technical knowledge, off-the-shelf deployments. Your little cousin can start just, look at what I did. I edited the application and now it's a horsey. And this is what I'm bringing you. It's easy. This is all stuff that I did the research for.
30:01
You don't have to be hardcore. This is all managed. It's not like the old days where you had to know IDA Pro and you had to be hardcore and you had to have all of this skill. No, this isn't that day anymore. I'm trying to bring you to feel more like you're just in power. You have control. You don't have to ask. You don't have to try and whittle through it. You just are in control from the beginning.
30:21
You access your application, you decompile it, you infect it, you exploit it, you remold it, and that's it. And you can proceed to fairly hardcore attacks. The common attacks I like to tell you about just because it's kind of interesting. From me being out there and attacking, this is what I can bring back. This is how you will commonly be able to attack most applications.
30:43
You can flip the check. You can set a value to true, you can cut the logic, you can return true, and you can access a value. That will get you through most of your targets that you want to do some sort of attack against. Because registered equals false suddenly becomes registered equals true. And does password A meet password B?
31:02
No, only incorrect passwords will proceed. And is registered, put a return at the top. SQL cleaning, return original string, and now suddenly you have a backdoor and you know this program is now vulnerable to SQL injection because you took out the SQL cleaning. And this isn't a backdoor. You can just add in a slight vulnerability
31:21
that no AV is going to catch. No AV is going to be like, oh, the SQL cleaning is off. No, this is high-level attacks. AVs don't operate here. And so let's look at that. Let's look at what it actually takes to attack an application. This is an application installed into a sandbox, and that's why I'm walking you through this.
31:40
This is what you would see when you install this application into a sandbox. It's called the best key logger. You iterate through, and it traps all the files written to disk into this area. And so you can say, okay, well, here's a few DLLs, and here's its structure, here's its executable, and here's our target that we're going to go after.
32:01
Drag and drop it, and here it is. Here's this application. It's obfuscated with a signature. It's obfuscated where it's not necessarily informative, but it's still semi-human readable. And I want to show you this. I'm not going to de-obfuscate it. I usually could, but I don't want to de-obfuscate it,
32:22
because I want to show you that de-obfuscation doesn't matter. You come down here into class P. You come down here.
32:55
Okay, how about seriously one question?
33:03
I've showed you this. You don't have any questions? Like, okay. The common ways are DoFiscator, which is recommended by Microsoft, SmartAssembly from a really bad company called Redgate,
33:20
and there's like 40 off-the-shelf applications. .NET Reactor is pretty good and affordable, but they range in between $40 and $4,000. And in the end, they all fall apart about the same. They will pack their resources into encrypted payloads.
33:41
They will go through and turn all their strings into a resource and pack that as an encrypted reference. And so you can't read the strings. They'll go through and add logical obfuscation, where they will try and make it harder to read. They'll go through and just kind of mess up the program in a fundamental way.
34:00
Each one does it a little differently, but in the end, you can basically undo all of them. Ooh, I know where it is.
34:23
Back to the versioning. I guess I'm going to give you a talk from old stuff. So come down in here to class P and function U, and this is the password validation. So let's open this real quick. Run this.
34:40
I like to run it inside of a VM inside of a sandbox. I recommend that. Here's the application. Go for it. I researched beforehand, and then I kind of just memorized the... I memorize a lot.
35:01
So, here, we can come in and go to settings security. Type in a password. Okay. And so we have our password set. And now when we try and open this, it will present us with a password challenge.
35:20
I, of course, don't know the password, and it's like, no, you don't have the password, you're not getting in. Same thing as before, right? Come in here, and this is the source code. So this is our known value versus our input value. They're both in plain text. There's no crypto, there's no hashing. It's storing your password in a completely plain state.
35:41
So you can, A, rip it out of memory, and this is the validation sequence. It's a single if check. And at this point, this is where we can start attacking that. So, we have our password, which is here on the stack. We can add a dupe.
36:01
And so down here, I tell you what this IL call does. It duplicates the top item on the stack. So now we have two passwords on the stack. Come down here, type in call. And then we're going to call out to system windows forms. System windows forms. Message box show.
36:22
And now we have a call out to system windows box show. This pushes a dialogue result back onto the stack. So we pop that off of the stack. And now we have this. So we take our password, we put it in a variable, we show it to the user, and then we compare that variable.
36:42
But we still have this check in here, right? So we'll come in here. So, here's where I popped it off of the stack. I'll add a new pop. So, onto the stack.
37:10
So, LDC is load I4 type one onto the stack. And so now we have this. We have show us the password and does one equal one.
37:22
Click save. Save it out. I'm running it off of a CD backup. Come back to the desktop.
37:48
Our new edited one in there. And so now we can run this. And so, here's our password validation. Same as before, type in our password.
38:00
Here's our password, ripped out of the program itself. And then it passes. That's a password validation sequence. And once you, yeah, you have to go and find that function. But that's where I try and make this easier. When you're talking about finding that function, I give you some tools to find that function faster. And I'll go through that later.
38:21
And finding out what that function does, you can read over the source code. And at this point, you still have to know IL, unfortunately. But you can bring up a Wiki page and it's not too bad, hopefully. And this is a piece of software that should be doing, you have the user's password and you have access to their application. And so, when you come up to someone else's system or your own system and you're locked out of it,
38:41
you can say, no, no, I'm not locked out of it. You'll let me in anyways and you'll tell me my old password. And you can do your own password retrieval. And so, you can write your own password retrieval application for application X in a matter of 15 minutes. And then it's like, I'm going to sell it for $5. And it's five lines of code. Like, this stuff is... I'm trying to make it reusable, dirt simple as much as possible.
39:05
And the other things you're going to come into is public and private key validation. So, it has a public key, it has a private key on the server that you don't have and then it validates against that. You'll have a known value and an unknown value and then that will compare against your user ID and your system code.
39:22
You'll have a server call. You'll have a demo equals true and you'll have complex math. And these are the common registration mechanisms that you're going to see in market. Also, way more than 1% of the time, they'll ship you the key generation sequence with the product inside of it. And they'll buy an off-the-shelf DLL that does the registration mechanism
39:41
and the registration generation mechanism and they'll ship that to you. And then you can just find that function and fire it and you don't even have to deal with it. It'll just give you the keys. When you have a public and private key signing, you have a public key and you don't know the private key, simply rekey it to something that you do know and suddenly you're the master of that program.
40:01
You have a server call, you repoint it to your server, you have your server return whatever you want, you then know what registration code will work and then that causes registry equals true. And so you can just take yourself one up level into the server role. Also in password and user validation for a code, they'll take a user, they'll run it through a complex algorithm
40:21
and then they'll compare that against your registration code. And then if that matches, you're registered. If not, you're not registered. We simply take that requested value and then replay attack it. And we know what value it wants in the future so we supply that value in the past. And then suddenly you're registered. And this works against so many applications.
40:43
And some of them do complex math. You simply chop up the math into the segments and you start attacking those segments one at a time. And it's kind of like a Rubik's cube that someone meant you not to be able to solve. Simply do what you can and then brute force the rest and try and get till you can solve all of it.
41:02
And usually you can. Six or eight hours, you can logically unravel most things. It's not too bad. So that program that I looked at, like, what about it? Like, it stored it in the clear. It did static crypto. It did zero vector initialisation on its crypto sequences. It stored all of the worst things you can possibly do for a security application.
41:24
All rolled into one and now I can come to you and say, I used what I normally attack with. This program is vulnerable to everything. There's nothing they could have done that was worse. They had ABC vulnerabilities. And now you can vet with these tools. You can go and say,
41:41
I can change the public and private key crypto and it's vulnerable. I can get your password in the clear and it's vulnerable. I can say that you're not actually implementing crypto. You're using crypto but you're not actually implementing it correctly. And so now you can say whether application A is secure, whether application B is more or less secure. And so you can start taking that into your own role
42:02
and we can start twittering out, hey, this is insecure and these companies will maybe start becoming more secure. And so what stops this? Like, we all know Microsoft and there's so much money in security, right? Well, there's security by obscurity, which is obfuscators. They do code obfuscation where they mess up the symbols.
42:21
They do logical obfuscation where they send it in all sorts of crazy loops and callbacks. They do unmanaged calls and they put logic in all sorts of different languages and they try and run away from any single technology or platform. They do shells and packers where you take a C++ shell and then you encrypt your binary into that and you load it through a packer.
42:42
And all of this is to shut down decompilation, like I was doing. They connect them to USB dongles, they phone home and they make database calls. They have their crypto. From my experience, these are the weak points because you can go find that USB dongle that they bought and find that library and then get full documentation on it,
43:04
find that one segment where they communicate and then attack that. You can find where they send information back to the server and you can re-point that to your server. You can take all of these things that are... As a good programmer, you bring this to a choke point, right? As a good programmer, you try and take all of this logic, wrap it up and then return one value and then make that very disconnected.
43:23
And that's an easy choke point to attack. You can find that one crypto library and then subvert the crypto for the entire application at that one point. And this is nice. It's good from an attacking standpoint. And this is what you want from an application standpoint. This is typically what you're going to see against a hardened application.
43:41
And like I showed you, there was that obfuscation. But let's look at what happens when we don't de-obfuscate, right? So I'll drag and drop this in here and this is what it comes out to. It just... I don't know what it is. Like, it's not decompiling, I can't get a handle on it. This is an application that's packed behind a C++ wrapper.
44:01
It decrypts itself and there it is. But this application, it's like, no, there's no .NET in here. But it is. This is .NET. So what's going on, right? It's... Like I said, it has that encrypted area. We'll load up into it again. And this window again.
44:21
So I call them spikes, the different things that you load into your target. We'll load in code access. And this grants us source code access to our target. So this is loaded into the same memory space. As I was walking objects before, I can now walk the code base
44:43
and I can pull the code base straight out of memory. And here's the obfuscated code in memory that you can just open up and start getting the source code for. So this is straight out of memory. Instead of where I was attacking on disk before, we can do the same thing in memory. And so you can just walk into running process and no matter how well they protected it,
45:01
how many layers of crypto they're unpacking it through, you can just pull it right out of memory. And that's nice. And you can do this to any language. Like you can do this to Java, you can do this to .NET, you can do this to Python, you can do this to C++. This is just because you have access to RAM and instructions have to be inside of the process.
45:20
And it's not something new or magical. It's just inherent. Let's see. OK, there we go. So this is what obfuscation looks like.
45:41
It puts in a bad name and it uses weird logic. And so it's not that bad, like it might take a while to read through. Like I said, you can basically get past most of it. My tool will de-obfuscate most things. The tools on the website don't currently do that. Hopefully I'll have this release ready in not too long. Let's look at that.
46:03
Obfuscation. But we're talking about what can protect you. Like it's a sea of stuff to hide what you're actually doing. And I like to say that the best defense is a good sniper. That trying to protect yourself with obfuscation is just ridiculous.
46:21
So we'll drag and drop this executable and we'll look at it, OK, it's a regular executable. Like anything else, you can find main and read through the source code. There's a whole bunch of decompilers out there on the market. Mine happens to be geared towards attacking. This one's geared towards decompiling.
46:43
We'll come in here, decompile it in some random one to show you that this is just normal. You come in here and say, OK, I want to save out the source code. We'll save out the source code for this. And so we have the source code saved out. We decompiled an application and so here's the source code.
47:01
Like, that's it, click, click. At this point, we have someone else's application on our box, we have their source code on our box, we have their intellectual property and we're able to attack them, right? That's the standard sequence that I've been showing you. And I'm targeting this at defense. So you come in here and you click on it. It's like, OK, I'll look at this, I'll look at this.
47:22
And it turns out that there's vulnerabilities everywhere. One of them is that when you click this, it's like, oh, I don't know, I need to rebuild. You rebuild and save it and so it needed to build objects to be able to view this form. When you look at this form, it runs arbitrary code on your machine
47:41
from Visual Studios. And this decompiled application is now attacking you inside of Visual Studios with the full rights of Visual Studios. And so, we'll come down here to PowerShell. And here's PowerShell, OK? This payload, we'll install it.
48:06
OK, well, this runs arbitrary code on your system. I'll pop across... Yeah, that teaches me... OK. One more second.
48:22
OK, so normally, this would run right out of the box. OK, so this payload runs in the background and now we come down to PowerShell.
48:48
Two seconds. OK.
49:19
OK.
49:21
I am incredibly sorry. I'll try and get that up and running. I know you guys aren't going to ask any questions, but any questions?
49:42
Can you speak up a little bit? I know what slows me down and what slows other people down. And so, I can implement those on different applications.
50:04
How to protect? You can hire pen testers like me to come in and give trainings. All my tools are free. Like, there's a reason. I come in and give trainings on how to defend your applications.
50:26
I come in and find vulnerabilities that would be normally leveraged and help harden you. My best thing is just... Basically, architecting in dependable architecture.
50:43
Like, if you're not defendable from the beginning, then there's really nothing you can do. Like, you have unit tests and you'll go through and make sure that your unit test is working, but do unit tests for security and make sure that you're not falling back on your security paradigm.
51:00
Even identifying your security risks in the first place. And just like penetration testing your network to find out where you're vulnerable, you can have me come in and I'll tell you where you're vulnerable and return you some suggestions on what you need to do to become harder. Any other questions?
51:26
A digital bodyguard. It actually depends on the client. Like, if you're a high school student, then it's absolutely free. I'll give you free advice. If you're a major corporation, then it's relative to your size and scale.
51:41
And, you know, it's a dependent, I guess. Bags of money is good. Foreign random currencies are always welcome. Hard assets, gold. I accept all sorts of things.
52:04
OK. Well, I apparently should have... OK. Well, I have tons of videos online with speeches that I've done in the past and my demos were very successful. And it would be quite impressive if I could show you what I could do.
52:25
So, when I talk about shells and packers and crypto, that's the same stuff that you're going to use if you're writing malware. So, when you talk about having defenses that someone can't overcome, we have people that dedicate their entire career to overcoming defenses that malware authors use.
52:41
And everyone plays both sides. You have attackers and defenders, it's just whether you think you're on the right side or the wrong side. And if you're writing really bad malware and you want help writing better, harder malware to reverse engineer so it's more lethal, I mean, it's no different. Like, there's no difference between writing code that's good and code that's bad.
53:02
It's the same code, we all code in the same language. And here is what an obfuscator will slow the attacker. It will not apply to the entire program. It will only apply to the privates because if it affects the public, it might not interface with other programs. It tries to cause very low bugs
53:22
and it tries not to add new vulnerabilities. And that's pretty much what a obfuscator or any other obfuscator off the shelf will do, except for it's like, oh, I can phone home if someone tries tampering with me or I can do all of these extra features. And I have a threat matrix. This is one of their slides. There's a threat matrix of how much they can bring to you and how they can have you control your programs in the field
53:42
and let you do patch management and incident management and tamper alerts and this whole life cycle of power. And we can just come in and just subvert it. Just take out their phone home, repoint it to us. Take their patch management and repoint it to us. We can take any of their systems and it turns out the more complex your application is,
54:01
you can actually introduce whole new vulnerabilities. Like, say that application that had no password validation, right? What if it phoned home and pulled down a new payload for the newest version? And I can now throw out 10,000 of them, people download it and then they come to me and they say, I want the new version. It's like, here you go. Download and run all of these executables and I can root all of your boxes
54:22
and there's no AV to stop me because I made a change for what URL do you go to and what key do you go to, to pull a new version. And so when you talk about as you add security, don't just add security for the sake of security and oh, it's so secure because for every single thing you add,
54:41
you could be opening up a new vulnerability. And if you're talking about a critically secure environment and it's phoning home and pulling down new payloads and that's acceptable, that's ridiculous. If you're talking about something you don't care about and it's your kid's phone and it goes out and pulls down new payloads, like that's only dangerous to what it can get to.
55:00
So we can talk about security, but it's more about building an actual defensible architecture and taking into account your threats, what you're willing to lose, what you're willing to have other people risk or you risk. And it's dependent. Like sometimes you build your tool for a friendly environment. That's fine.
55:20
You build your tool, someone can get a rock and just come and smash right through it. Or you can be building your tool to go and kill people and you know people are going to be attacking it and throwing rocks and they're going to want to stop you because you're crushing them. And you build your tool differently. You just have a different mindset from the get-go and you start wrapping it in different layers of offensive and defensive tech.
55:41
And this is just a choice. It's an ROI on time, it's an ROI on all sorts of things. And you simply architect a different product. It's not a layer you add on. You can add layers, but if you don't have a secure architecture you can have all the layers you want and you're still going to be crippled in the end. There is no layer that will protect you.
56:03
Because if you don't actually have a secure, stable infrastructure, you can't build a secure, stable infrastructure on top of it. If it's underpinning by crap, there's always going to be an underpinning of crap. So if you do stability and security, do it from the ground up. Do it from the protocols, the technology.
56:21
Do it all the way through. And so all of this security, that's what we take care of. We just bust through it. You're not supposed to be able to open a door and there's people that are supposed to be able to go through any door that's locked. And we all have this ability. We can all kick down a door, we can all pick a lock, we can all bust through a wall. We just choose not to.
56:40
And us as developers have that choice. When someone hands you a DLL, you can go through and say, no, I want this DLL to be different. And so, here, this is this application. In my newest version that was buggy. You can come into a DLL and say, I want this entire executable to be public.
57:02
And it goes through and makes every single function public. And every single class public. And so when you're talking about an API, you can just API any executable or DLL. You can reach in and put a line of code that calls you every time a function is called. You can now root anyone else's application
57:21
and use it like it was your own. And then drag and drop this into Visual Studios and start calling it. And not worry about public and private anymore. And of course, with reflection, I have some papers up on my website, Reflections Hidden Power. And it'll show you how to use reflection to tunnel into an application and start accessing publics and privates like it doesn't matter.
57:41
But this makes it so you can drag and drop it in Visual Studios, have IntelliSense and then start calling into their executable and firing constructors and rooting it and controlling it from a very deep level. And you can eventually accomplish anything you want. With enough time and effort, you can cripple any system. You can attack every single aspect of it.
58:00
And then you can either use that to attack something else or you can just have fun with it. And some of the ways I'm going is attacking core systems or attacking games, allowing kids to add ponies to any application or allowing people to add keyloggers to any application. This is just code. This is just research and tools that I'm supplying to the community free of charge. Everything I'm doing is not open source,
58:21
but you have access to the source code. You have the access to any source code that you can get a hold of in executable form. Like I said, this is not any different than C++. There's tools IDA Pro. You can use IDA Pro to get C source code back. It's $1,500, but you can go and get C source code back. There was Softice that was free back in the 90s.
58:41
And then it was bought up. And so this isn't new. This isn't something fundamentally groundbreaking. This is just a free tool that happens to be targeted at the new stuff and still no one's defending it. And if we start defending it now, hopefully we'll have it defended in the future. Because that Visual Studios attack that I showed you is since 2004.
59:01
Microsoft is not going to fix it. The next version of Visual Studios is going to have the same flaw. I can go onto the Internet, upload source code all over the Internet and have you download it and now I can infect you through Visual Studios. Like that's a critical vulnerability and Microsoft doesn't care. It's a core feature of Visual Studios. And now I have access to your box. I have access to all of your developer keys.
59:21
I have access to all of your databases. I have access to all of what your developers develop. When you're talking about attacking a corporation, like, oh, I have HR, if I have your developers and I can push malware to your SVN and I can have you distribute that to your clients, that's lethal. And Microsoft doesn't care. And why not? Why doesn't Microsoft care?
59:40
No one's attacking it. It's a feature. We know about it. But they don't try and mitigate it. We can run threads in a safe context. We can run threads with mitigated rights. They could choose anytime they're going to run arbitrary code, do it in a mitigated environment or never run arbitrary code. They're not going to choose to do this until there's community or legal action.
01:00:00
until someone is critically wounded and loses $1 billion and then sues Microsoft because this was a vulnerable aspect. And that's why I'm here. I'm trying to encourage security through needing it. By seeing this, you now have a way to go to your management and say we need to invest in security because any high schooler can come and SQL
01:00:21
inject our servers from our desktop app and wipe our database and it takes them 15 clicks. And this is lethal. And without this, you could never get funding to get security to secure your servers from being attacked by your clients because why would we spend 300 hours on something that we know is secure? And you won't unless you need it. I'm trying
01:00:41
to encourage needing it. And Microsoft loves malware. That's why they leave it out because they want all of you to be easily rootable. I can go and put it on CodePlex and that's a great marketing ploy. I mean, why wouldn't Microsoft want to put malware on all your machines? Of course. Here's what I recommend you use from the security arena.
01:01:02
I have a little different paradigm shift. I was a developer. Now I'm in the security arena. So here's what I kind of see of programs you might want to consider using. I like reSharper, productivity tools and color schemes. That's great for visual studios. What about hacking? I'll go back. Go for it. You're welcome. He wants to take a picture.
01:01:24
It's nice. Yeah. Hacking and cracking. I like sandboxes because you can easily trap your application and then dissect it. Instead of having to dig all around the computer, you can just trap it and dissect it. It's real easy. And sandbox is not that expensive.
01:01:40
It's great. Virtualbox, it's good. It's free. And when you're dealing with applications that you don't want to phone home or you're dealing with malware or you want some environment that you can go and fiddle with the core .NET framework, Virtualbox will save you so many formats. And when you're going up and cracking it, use Process Explorer. It'll
01:02:02
tell you what DLLs it's referencing. When you're attacking something, it'll be referencing a native image instead of the real DLL. So you'll go and edit a DLL and it won't work. Nothing will happen because it's actually using the native image. Because normally when you change a DLL, it changes the strong key name signing and says, oh, you're using a different DLL, let me recash it. When you fake sign a DLL, it uses the one out of
01:02:23
the native cache as though nothing had changed. Firewalls are great. Outbound firewalls will let you know when someone's trying to phone home, what port, all that is great. And winhex. It's much more important than you might think. So being able to view hex. Why is that important? Because it turns out that when you develop an application and
01:02:43
you start shipping it out, you ship out all sorts of metadata. You ship out your computer name, your directories, and all that. And so I got burned by this when I was first starting out. So I like to tell everyone. And here's a malware running feature.
01:03:00
So when you come into this project and you come to properties, you come to build, and then in this box down here, advanced, under build, do you want to ship your debug information? This has your directory of your execution build. So whatever directory you're building it in, your computer name, all of that is with this debug information. And so you come in here and change it to none. And typically you do this under
01:03:24
your release configuration. PDB only to none. And now you're not shipping out your computer name. You go back in with that hex editor and you look for your personal information. So when you modify someone's executable and you ship them the fix that
01:03:40
I can ship someone a fix to their application that's not open source, I probably don't want to ship them my computer name. I'm going to go and find an anonymous proxy on the Internet and send it to them and I don't want my computer name on there. And this is how you clean your personally identifiable information. And, yeah, I mean, as a community, we can now go and say application A is secure, application B is
01:04:02
insecure. Let's upgrade it. I can now make a security fix and deploy it to you to deploy on a third-party application. And so you can make upgrades to other people's applications and we don't have to just say, oh, it's not open source, I can't affect it. Yes, you can. You can write a patch for anyone, anywhere. Like malware, you can forcibly
01:04:22
patch, but you can forcibly patch for good. Like the difference between a developer and a hacker is a hacker wants to hurt someone and a developer wants to develop. Like, no, the difference between a hacker and a developer is a hacker has rules and then they break those rules. A developer has rules and then they try and make patterns and they try and make ways to develop better ways to adhere to those rules. And that's the fundamental difference.
01:04:44
There's hackers good and bad. There's white hat, black hat. There's bad developers and there's good developers. There's shitty hackers and there's shitty developers. It's neither good nor bad. You can forcibly patch anyone, anywhere. And for security, use Tor, use TrueCrypt, use convergence. Tor will bounce you through a public proxy network
01:05:06
through seven of them and it's considered to be relatively secure. When you go through Tor, you'll come out and you'll be relatively untraceable. Use TrueCrypt, you'll drop your hard drive into an encrypted state, it'll give you multiple passwords and you have plausible deniability. You type in one password, it'll give you one data set. You type
01:05:22
in a different password, it'll give you a different data set. And you can start defending yourself. And this is anyone that cares about their data on their system that they could lose can start using these things. If you don't want one of your competitors tracking you when you go to their website, use Tor. If you don't want one of your developers losing their hard drive, then there's that. If you don't want one of your developers
01:05:43
being tortured and giving up the password to their hard drive, then use a deniable password and have six passwords. And convergence. It breaks you off of the trust model of SSL and it takes you to a community-driven trust model. I recommend these things. I like them. And when you look inside of applications, you can see what's really there that was
01:06:01
hidden and denied to you all this time. You can see how do they do what they do. You can start learning from them. You can start saying application A is secure because they do MD5 hashing or they have really strong crypto. Application B is insecure. You can say the data sent home is critical and vulnerable or what's going home is fine
01:06:20
or it's security critical or you are going to patch their application so it no longer phones home because you think that's a security vulnerability for your enterprise. And you can. We can modify our Xbox, right? You can go and buy a third-party application and turn off the phone home and that's legit. And this is just a choice. We can say in our enterprise, no application will go through our firewall. Application requires
01:06:42
phoning home. We're not going to let it. We're going to say no, we're going to use this application. You're not going to phone home and we're going to just take control. And we can. And it's a choice. It's easy. We can say you're not using your crypto, right? You say you're federally compliant. It would be FIPS in America. I don't know what it would be here. But you're adhering to standards. Well, you can actually say, yes,
01:07:04
you're using crypto but you're not using crypto correctly. Or you can say, yes, you've implemented it but you're not implementing it correctly. Because who's to say that like right before you print it and send it out to everyone that someone didn't drop a back door in there? Well, now you can take your deployed copy and you can vet it. And you can say,
01:07:21
okay, we looked at it and the crypto was secure. It wasn't our crypto that was compromised. So on and so forth. We can start doing this for ourselves. And yeah, I recommend it. Hope you enjoyed it. Any questions? Sure. Value? No. Well, okay. So say you do
01:07:55
your native image caching, right? And where do you store it? It's not signed.
01:08:03
And so you inject that back into your DLL and you store it inside of your DLL. And it's changed the signing. And so now you either have to make some complex rolling forward crypto system that you can't. And ultimately you would have to be hashing every single DLL every time you run it. And you would also have to give up caching. And Microsoft
01:08:21
made that choice for you. You can go into the registry and turn that bypass off. But then you can just go one step farther and then take out that security mechanism that does that validation. And you can go up the stack. But it's not a defensible platform. It's not something that will win. The XBox, the iPhone, all of these do that. And none of them
01:08:48
seem to work ever. Any other questions? Cool. Well, thanks for coming. And hope you use this stuff.
Recommendations
Series of 110 media
Series of 150 media
Series of 163 media
Series of 170 media
Series of 96 media