Didier Stevens » .NET

.NET Shellcode

Didier Stevens — Tue, 13 Apr 2010 00:00:22 +0000

As it is easy to instantiate the CLR in a process and load an assembly from C-code, I developed shellcode to load a .NET assembly in the injected process.

This allows you to leverage the extended Framework Class Library in your penetration tests.

Detecting EICAR With a .NET Micro-controller

Didier Stevens — Wed, 30 Dec 2009 22:07:51 +0000

I’ve been playing with a .NET Micro Framework micro-controller: the USBizi. A few of its interesting characteristics are that you program it in C# with Visual Studio and that in-circuit debugging (including single-stepping) is supported.

The .NET Micro Framework has no assemblies to support USB in host mode (only guest mode), but the USBizi comes with assemblies for host mode providing support for removable drives like USB sticks. To illustrate this feature, I wrote a program to scan the files on a USB stick for the EICAR test file and replace the content with a message appropriate for the time of the year.

Some ideas I’ve for this device: program it as a hardware keylogger, a hardware password vault, …

using System.Threading;
using System;
using System.IO;
using Microsoft.SPOT.Hardware;
using Microsoft.SPOT;
using Microsoft.SPOT.IO;
using GHIElectronics.System.SystemDevices;
using GHIElectronics.System;
using GHIElectronics.System.IO;
using GHIElectronics.Hardware;

namespace USBiziEICARDetector
{
    public class Program
    {
        static string sEICAR = @"X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*";

        static void Main()
        {
            Boolean bFoundEicar;
            Debug.Print("Starting...");
            while (true)
            {
                // must start system first, no event is associated
                SystemManager.Start(null);
                // wait till we have a device
                while (SystemManager.GetDevices().Length == 0)
                    Thread.Sleep(500);
                // get a list of devices
                Device[] devices = SystemManager.GetDevices();
                // look for a device
                foreach (Device device in devices)
                {
                    // this loop will run once for every device
                    if (device.deviceType == DeviceType.Drive)
                    {
                        try
                        {
                            // USB drive is inserted
                            // Create a new storage device
                            PersistentStorage PS = new PersistentStorage(device.deviceID);
                            // now everything works just like on SD cards....
                            // Mount the file system
                            PS.MountFileSystem();
                            // Assume one storage device is available, access it through NETMF
                            string rootDirectory = VolumeInfo.GetVolumes()[0].RootDirectory;
                            bFoundEicar = false;
                            string[] files = Directory.GetFiles(rootDirectory);
                            Debug.Print("Files on root of USB drive...");
                            foreach (string file in files)
                            {
                                Debug.Print(file);
                                Boolean bFileIsEICAR = false;
                                FileStream fs = File.OpenRead(file);
                                Debug.Print(fs.Length.ToString());
                                if (fs.Length == sEICAR.Length)
                                {
                                    char[] acEICAR = sEICAR.ToCharArray();
                                    for (int iIter = 0; iIter < sEICAR.Length; iIter++)
                                    {
                                        int iByte = fs.ReadByte();
                                        if (acEICAR[iIter] != iByte)
                                            break;
                                        if (iIter == sEICAR.Length - 1)
                                        {
                                            bFoundEicar = true;
                                            bFileIsEICAR = true;
                                        }
                                    }
                                }
                                fs.Close();
                                if (bFileIsEICAR)
                                {
                                    byte[] abHappyNewYear2010 = {
                                        0x0D, 0x0A, 0x0D, 0x0A, 0x0D, 0x0A, 0x20, 0x58, 0x58, 0x58, 0x20, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
                                        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
                                        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x20,
                                        0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x0D, 0x0A, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20,
                                        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
                                        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20,
                                        0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x0D, 0x0A, 0x20,
                                        0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
                                        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
                                        0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20,
                                        0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x0D, 0x0A, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x58, 0x20, 0x20,
                                        0x20, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x20, 0x20, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x20, 0x20, 0x58, 0x58, 0x58, 0x20, 0x58, 0x58, 0x58,
                                        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20,
                                        0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x0D, 0x0A, 0x20, 0x20, 0x58, 0x58, 0x58, 0x58, 0x58,
                                        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20,
                                        0x58, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20,
                                        0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58,
                                        0x0D, 0x0A, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20,
                                        0x20, 0x58, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
                                        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20,
                                        0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x0D, 0x0A, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20,
                                        0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20,
                                        0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20,
                                        0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x0D, 0x0A, 0x20, 0x20, 0x58, 0x20,
                                        0x20, 0x20, 0x58, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x58, 0x20,
                                        0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20,
                                        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20,
                                        0x20, 0x20, 0x58, 0x0D, 0x0A, 0x20, 0x58, 0x58, 0x58, 0x20, 0x58, 0x58, 0x58, 0x20, 0x20, 0x58, 0x58, 0x58, 0x58, 0x20, 0x58, 0x20, 0x20, 0x58,
                                        0x58, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
                                        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x20, 0x58,
                                        0x58, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
                                        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
                                        0x20, 0x58, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58,
                                        0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x58, 0x0D, 0x0A, 0x0D, 0x0A};

                                    File.WriteAllBytes(file, abHappyNewYear2010);
                                    Debug.Print("EICAR found!");
                                }
                            }
                            Debug.Print("... end of list!");
                            // if we need to unmount
                            Thread.Sleep(500);
                            PS.UnmountFileSystem();
                            Thread.Sleep(500);
                            PS.Remove();
                            OutputPort LED = new OutputPort(USBizi.Pins.E2x, false);
                            if (bFoundEicar)
                            {
                                Debug.Print("bFoundEicar = true");
                                BlinkXTimes(LED, 4, 300);
                            }
                            else
                            {
                                Debug.Print("bFoundEicar = false");
                                BlinkXTimes(LED, 2, 300);
                            }
                        }
                        catch (Exception e)
                        {
                            Debug.Print("Exception:");
                            Debug.Print(e.Message);
                        }
                    }
                }
                Thread.Sleep(500);
                SystemManager.Reboot(SystemManager.RebootMode.Normal);
            }
        }

        public static void BlinkXTimes(OutputPort LED, int times, int milliseconds)
        {
            for (int i = 0; i < times; i++)
            {
                LED.Write(true);
                Thread.Sleep(milliseconds);
                LED.Write(false);
                Thread.Sleep(milliseconds);
            }
        }
    }
}

CASToggle and The Polymorphic Podcast

Didier Stevens — Wed, 20 Feb 2008 10:15:52 +0000

Craig Shoemaker, a good friend, Microsoft MVP and host of The Polymorphic Podcast, sweetened my little CASToggle quiz by trowing in a license for a Microsoft .NET development tool. Check out hist post. Thanks Craig!

BTW, The Polymorphic Podcast is about object oriented development, not about polymorphic malware. Polymorphism is also a programming language concept.

When you look at the comments of my previous blogpost, you’ll read that we have a winner. Let me fill you in on the details.

Caspol requires administrative credentials to disable CAS enforcement:

The reason is that the setting for disabled CAS enforcement is implemented with a mutex owned by the BUILTIN\Administrators group. As a non-admin user, you can also create this mutex, but it will be owned by your account, not by the administrator group. And the CLR checks the ownership of the mutex and will only acknowledge it when it is owned by BUILTIN\Administrators.

But my CASToggle tool does not use a mutex. CASToggle allows you to directly manipulate the variable in the CLR where the status of the mutex is stored. This variable can have 3 values:

0: uninitialized, this means that the CLR has not yet looked for the presence of the mutex. This is the case when your .NET program starts to run.
1: CAS enforcement disabled, this means that the CLR has found the mutex.
2: CAS enforcement enabled, this means that the CLR has not found the mutex.

The CLR will only perform a single check for the presence of the mutex. That’s why changing the CAS enforcement policy with caspol has no effect on running .NET programs.

Did you know that the CLR runs in your own process memory? And did you know that in Windows, you have full control over your own processes, even as a limited user? To manipulate the process of another user (e.g. reading and writing to the virtual memory owned by the target process), you need the debug privilege (local admins have this privilege by default). But you don’t need this privilege for your own processes.

That’s what differentiates CASToggle from caspol. If you’re a local admin (or you have the debug privilege, to be more precise), you can use CASToggle on any process. But as a limited user, you can still use it to disable CAS enforcement for your own processes.

I’ve been doing some research on security mechanisms implemented in the user’s own process space. The design of these security mechanisms is fundamentally flawed, because a limited user has full control over his own processes and can thus bypass the security mechanism. He just needs internal knowledge about the mechanisms (or a tool), and then he can bypass it because he has the rights to do so.

Robust security mechanisms are implemented in process space that is off-limit to normal users. This can be inside the kernel (like the reference monitor) or inside user-land space of a protected account (like services that run under the local system account).

Fine-Grained Control over Code Access Security

Didier Stevens — Tue, 12 Feb 2008 07:12:28 +0000

With Code Access Security (CAS) in the .NET Framework, Microsoft introduced a whole new security layer on top of Windows security.

If you need to temporarily disable CAS, for example during a debugging session, you can use the caspol utility. The command caspol -security off will disable CAS enforcement as long as the caspol tool is running (this is true for .NET 2.0 and later). If you are interested in the implementation details: it’s done via a mutex.

One issue with caspol -security is that its effect is system-wide. If you need to unit test .NET assemblies by repeatedly toggling CAS enforcement, the caspol utility lacks some control. Not only your assembly will be affected by the toggle, but every other assembly on the machine. And the setting only takes effect for assemblies started after the caspol command was issued. When you re-enable CAS enforcement, it will only affect new processes. Running programs continue to ignore CAS, they have to be restarted for the new setting to take effect.

My new utility, CASToggle, gives you more control over CAS enforcement. First of all, it operates on a per-process basis. You have to specify the process ID of the program for which you want to switch CAS enforcement. Second: the effect is immediate, you don’t have to restart the program.

Example:

castoggle 123 1 – this will immediately disable CAS enforcement for process 123
castoggle 123 2 – this will immediately enable CAS enforcement for process 123

CASToggle controls CAS enforcement by directly manipulating the appropriate variable in the process memory of the targeted program. So it’s best to use CASToggle only for testing purposes. When you look at the source code of CASToggle, you’ll notice that most of the code is there to ensure that it manipulates the correct memory location. For example, it will check the version of mscorwks.dll before it attempts to access the process memory. But if the DLL is not loaded at its base address (e.g. because of ASLR on Vista or Windows 2008), the program could manipulate the wrong memory location and cause the program to crash. Unknown DLL versions cause the tool to break-off without accessing the process memory. I’ve tested CASToggle on Windows XP SP2, Windows 2003 and Vista with different versions of .NET (2.0 and up).

To see CASToggle at work, take a look here on YouTube, hires (XviD) version here.

Oh, and there is one more thing that differentiates CASToggle from caspol, but I’m not going to tell you right now. Can you figure it out? Post a comment! First one to figure it out gets the honors!