The .NET is a Dangerous Place (Part 1)

In 2011, I was fortunate enough to attend OWASP's AppSec USA conference in the wonderful city if Minneapolis, MN.  While both the training and talks I attended were very good, one talk in particular stood out and that was  "Hacking .NET (C#) Applications: The Black Arts" given by a very bright individual named Jon McCoy.  From the abstract:

This talk will focus on attacking the .NET Runtime, Framework DLLs, Security of .NET

In this presentation, Jon demoed two tools that I want to talk about today, Gray Wolf and Gray Dragon.

Gray Dragon is an injection system to inject .NET application at runtime

Gray Wolf is a reverse engineering tool.  Currently it is in a late beta stage It is similar to IL-Spy but this has a focus on edit/attack.
GrayWolf was a tool I created to carry out research. The focus is on editing applications to make change quickly.

What can it do:
Edit IL(Live)
Add payloads
Edit attributes(public/privet)
Copy strong names signing on EXE/DLL

Now, in case you've missed his talks or have no idea about the tools and their purpose(s), I strongly recommend checking out the videos uploaded to his site under the Speech Videos section.  For today's post, we're going to need the following items:

*We'll be cheating a little bit and using DotNetasploit's injection capability to inject into our target process at runtime due to a .NET conflict I haven't had time to resolve.  Please note that the injection functionality is nearly identical between the two tools, so if you have problems with Gray Dragon, use DotNetasploit as demo'ed here.

**Also note that when you download DotNetasploit, your AV might trigger on slater32.dll.  This file is not a virus and can/should be trusted.  As always, if you have any doubts, please run the tools within a VM that you don't mind losing.

The Target Program

The target program we're using is The B.E.S.T. KeyGen, namely we're attacking the bundled executable, BestAppEver.exe.  Upon initially launching BestApEver.exe, a program runs which looks like the below.


If you want, try and enter a name and key which will return the message "Your must have typed it wrong!"  Our goal now is to get past this and crack the application.  Generally speaking, there's two ways this can be done.  The first way would be to reverse the binary and build a keygen based on the key generation/validation routine, but that's hard.  The second way, which is how we'll be doing it, is to inject into the application using DotNetasploit, find the key checking routine, and patch the binary so that it accepts our key regardless of whether or not it's valid.


DotNetasploit gives us two very important components: a thread-safe injection mechanism and a spike.  In terms of injection, a spike is a secondary program that is injected into the target process' address space and allows us to manipulate the process and execute our code from within.  This is analogous to a syringe filled with a binary payload.

Two injectors are available with DotNetasploit for 32 and 64 bit executables.  Since this is a 32 bit OS and executable, we'll use the corresponding injector, Injector32.exe which is located in %path%\DotNetasploit\Injector.  When we open this tool, we see the below window which also provides a process list of all running .NET processes.


This next part is pretty simple.  You can select the process you wish to inject into either by selecting the PID/process name from the list on the right, or you can click and drag the target icon over the process window.  Leave the DLL slater32.dll (don't worry about this for the time being) and select "Inject."  After we inject into our process we see slate v1.0 which is another component of DotNetasploit that's used to push our binary into the target process.


From this window, select Main Code and navigate to %Path%\Gray Wolf\Payloads\Spikes\ and select HackButtons-o.exe.  HackButtons-o.exe is what we'll inject into the process to help us manipulate the process and get to know more about it.  After selecting HackButtons-o.exe, click "Load Main" and you should see the magic buttons appear.  The UI for BestAppEver now looks like this (or at least it should).


Woah what is, that what happened, where am I?!  Relax friend, mission accomplished.  The reason those buttons are now attached to the window is because that's our HackButtons-o.exe running inside the the target.  The call is coming from inside the house!  These buttons provide us with the ability to do various things to the application, and of particular use today is the pink "ASK" button which lets us select a UI component and interrogate the controls to learn more about the code it's executing.  If you're confused, think of it this way.  When we click Unlock, ~something~ happens - a function is called that does key verification, and we want to know what that code is, what it's called, and what it looks like.   If that doesn't make sense, it will shortly.

So we've inject into our process, we now have our code running inside the process, and we want to use that code to do things, namely help us reverse the unlocking function.  Truthfully, in a small app like this, it would be trivial to just decompile the entire binary and see what's going on, but that not only defeats the purpose of the demo, it also doesn't showcase the coolness of these tools.  Moving on, the ASK button will tell us what code is firing behind a certain UI control.  In the case of the unlock button, left-click the ASK button so it looks like "--R--" and from there, right-clicking any UI component will reveal more information about what's happening in the background.  After the first right-click on the unlock button, we see the below.


This is not the window we're looking for, this window just tells us about the UI control itself which isn't of much interest right now.  Clicking OK produces another window, which is when it gets interesting.  Refer to the next image.


What we're seeing here is a chunk of MSIL that's firing when we click unlock (if you're feeling pedantic, we're not actually executing MSIL, but this is helps us see what's happening)!  Pretty cool.  And because we now know what's being executed, TestKey.KeyCheck(), we can start reversing that function.

At this point, you can close up Gray Dragon, DotNetasploit, and BestAppEver.  Our injected code gave us enough information from the running process to look at it statically using the next tool, Gray Wolf.  Remember, we're after KeyCheck() now.

If you've followed along this far, congratulations!  Be sure to check back next week when we introduce Gray Wolf and review its reversing and IL editing capabilities.