Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > .NET Reverse Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 03-12-2009, 04:10 AM
rongchaua rongchaua is offline
Senior Member
 
Join Date: Apr 2007
Posts: 91
Default .NET Framework Rootkits

An interesting paper in .Net Reverse

.NET Framework Rootkits:
Backdoors inside your
Framework
November, 2008
Erez Metula

Link download:
http://www.applicationsecurity.co.il...=161 &mid=555

The main idea:
Quote:
Upon request for this DLL from other executables running inside the framework, the
framework will search for the required DLL based on his version and signature. The
framework will not check for the actual signature but instead will rely on the signature
mentioned in the directory file name.
To put it in other words, the signature of the DLL itself is irrelevant, the only
thing that matters is the directory in which it is located.
Source:
http://www.applicationsecurity.co.il...=161 &mid=555

Tool:
http://www.applicationsecurity.co.il...=1 61&mid=555

Modul:
http://www.applicationsecurity.co.il...=1 61&mid=555
__________________
My site: http://rongchaua.net
Reply With Quote
  #2  
Old 03-12-2009, 05:58 AM
Kurapica Kurapica is offline
Senior Member
 
Join Date: May 2006
Location: Archives
Posts: 357
Default

Thanks my friend...
nice paper
__________________
Life can only be understood backwards but It must be read forwards.
Reply With Quote
  #3  
Old 03-12-2009, 06:46 AM
rongchaua rongchaua is offline
Senior Member
 
Join Date: Apr 2007
Posts: 91
Default

Hi Kurapica,
Test this research if you have time. I myself can not believe that it can be bypassed so easily. I will start to test in some next days.

More info about this bug
Quote:
Sometime later, when an application attempts to load your signed assembly:

1. The .NET assembly loader calculates the cryptographic digest of the current assembly contents. This is known as the run-time digest.
2. The loader extracts the stored compile-time digest and public key from the assembly.
3. The loader uses the public key to decrypt the compile-time digest.
4. The loader then compares the run-time digest with the decrypted compile-time digest to ensure they match. If not, then the assembly has been modified since you compiled it, and the assembly load fails.

This process is different when loading shared assemblies from the GAC. Because assemblies are verified when they are first installed into the GAC–and they cannot be modified while in the GAC–the .NET assembly loader does not verify an assembly when loading it from the GAC. This can improve the startup speed of your application if you load many shared assemblies.
__________________
My site: http://rongchaua.net

Last edited by rongchaua : 03-12-2009 at 08:16 AM.
Reply With Quote
  #4  
Old 03-12-2009, 07:43 PM
rongchaua rongchaua is offline
Senior Member
 
Join Date: Apr 2007
Posts: 91
Default GAC Verifier

I wrote a small tool called GAC Verifier to dectect this art of rootkit.

http://rongchaua.net/tools-mainmenu-36/129-gac-verifier

It will scan the GAC Folder and tell us which assembly was not exactly signed. These assembly can be modified to work for the rootkit.

Regards.
rca.
__________________
My site: http://rongchaua.net
Reply With Quote
  #5  
Old 03-19-2009, 04:10 AM
sirp sirp is offline
Senior Member
 
Join Date: Apr 2008
Posts: 76
Default yo

nice tool thx checkd my framework ,) thx god not rooooted ,)
Reply With Quote
  #6  
Old 03-19-2009, 07:34 AM
Kurapica Kurapica is offline
Senior Member
 
Join Date: May 2006
Location: Archives
Posts: 357
Default

Nice tool rongchaua, thanks for coding.
__________________
Life can only be understood backwards but It must be read forwards.
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.