hacking c
play

Hacking C# CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL - PowerPoint PPT Presentation

Mar 15, 2024 •110 likes •481 views

Hacking C# CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1 19.08.2020 HACKING C# - ADAM FURMANEK About me Experienced with backend, frontend, mobile, desktop, ML, databases. Blogger, public speaker. Author of .NET

  1. Hacking C# CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1 19.08.2020 HACKING C# - ADAM FURMANEK

  2. About me Experienced with backend, frontend, mobile, desktop, ML, databases. Blogger, public speaker. Author of .NET Internals Cookbook. http://blog.adamfurmanek.pl contact@adamfurmanek.pl furmanekadam 2 19.08.2020 HACKING C# - ADAM FURMANEK

  3. You always show how to use machine code and other hacks to (…) but you could just show how all these hacks work. KEVIN GOSSE 3 19.08.2020 HACKING C# - ADAM FURMANEK

  4. Agenda Avoiding dynamic dispatch. Awaiting async void methods. Running machine code from a byte array. ◦ Hijacking methods. ◦ Running things on other desktops. ◦ Catching unhandled exceptions. ◦ Catching SOE. Abusing type system. ◦ Serializing non-serializable type. ◦ Implementing multiple inheritance. 4 19.08.2020 HACKING C# - ADAM FURMANEK

  5. Avoiding dynamic dispatch 5 19.08.2020 HACKING C# - ADAM FURMANEK

  6. Dynamic Dispatch 6 19.08.2020 HACKING C# - ADAM FURMANEK

  7. IL CALL CALLVIRT The call instruction calls the method indicated The callvirt instruction calls a late-bound by the method descriptor passed with the method on an object. That is, the method is instruction . The method descriptor is a chosen based on the runtime type of obj metadata token that indicates the method to rather than the compile-time class visible in call and the number, type, and order of the the method pointer. arguments that have been placed on the stack Callvirt can be used to call both virtual and to be passed to that method as well as the instance methods. calling convention to be used. 7 19.08.2020 HACKING C# - ADAM FURMANEK

  8. Dispatch 8 19.08.2020 HACKING C# - ADAM FURMANEK

  9. Awaiting async void methods 9 19.08.2020 HACKING C# - ADAM FURMANEK

  10. Awaiting async void We cannot do it directly as method returns nothing. We need to implement custom synchronization context. To handle exceptions we need to write custom task scheduler. 10 19.08.2020 HACKING C# - ADAM FURMANEK

  11. await async void 11 19.08.2020 HACKING C# - ADAM FURMANEK

  12. Catch exceptions in async void 12 19.08.2020 HACKING C# - ADAM FURMANEK

  13. Running machine code from a byte array 13 19.08.2020 HACKING C# - ADAM FURMANEK

  14. Function Typically is JIT-compiled but can be pregenerated (ngen or ready-to-run). Must have a machine code (or multiple of them). Has specific calling convention (parameters via registers + via stack). Has metadata represented via Method Descriptor (or handle). 14 19.08.2020 HACKING C# - ADAM FURMANEK

  15. Machine code Is NOT an assembly code — one assembly mnemonic represents many machine instructions. Cannot be easily read backwards in x86 — instructions have different lengths. Needs to adhere to the endianess. Is not different from data — it’s always a bunch of bytes. Must adhere to memory page permissions (page must be executable). 15 19.08.2020 HACKING C# - ADAM FURMANEK

  16. Machine code https://defuse.ca/online-x86-assembler.htm Useful page for disassembling the code. 16 19.08.2020 HACKING C# - ADAM FURMANEK

  17. Marshal.GetDelegateForFunctionPointer Converts an unmanaged function pointer to a delegate. ptr is converted to a delegate that invokes the unmanaged method using the __stdcall calling convention on Windows, or the __cdecl calling convention on Linux and macOS. 17 19.08.2020 HACKING C# - ADAM FURMANEK

  18. Jump We can take existing machine code and modify in place. Then we can jump anywhere. Jumps are relative — they jump „by” offset. Jump 123 means jump 123 bytes forward. To do an absolute jump we can use push + ret trick. 18 19.08.2020 HACKING C# - ADAM FURMANEK

  19. ByteToFunc 19 19.08.2020 HACKING C# - ADAM FURMANEK

  20. Method hijacking 20 19.08.2020 HACKING C# - ADAM FURMANEK

  21. Desktop hack 21 19.08.2020 HACKING C# - ADAM FURMANEK

  22. Exceptions in other threads Unhandled exception kills the application in most cases. If it happens on a thread pool it is held until awaiting and then propagated if possible (thrown out of band for async void ). Catching unhandled exception with AppDomain.CurrentDomain.UnhandledException doesn’t stop the application from terminating. ThreadAbortException or AppDomainUnloadedException do not kill the application. In .NET 1 it was different: ◦ Exception on a thread pool was printed to the console and the thread was returned to the pool. ◦ Exception in other thread was printed to the console and the thread was terminated. ◦ Exception on the finalizer was printed to the console and finalizer was still working. ◦ Exception on the main thread resulted in application termination. 22 19.08.2020 HACKING C# - ADAM FURMANEK

  23. Hijacking thread creation 23 19.08.2020 HACKING C# - ADAM FURMANEK

  24. Catching with shim 24 19.08.2020 HACKING C# - ADAM FURMANEK

  25. Catching with shim 25 19.08.2020 HACKING C# - ADAM FURMANEK

  26. Catching StackOverflowException in C# 1. Generate machine code on the fly. 2. Register VEH handler with P/Invoke. 3. Use „SetJump LongJump” like approach: 1. Store registers. 2. Call method generating SOE. 3. Restore registers in VEH handler. 4. Rely on VEH mechanism to perform the jump. 4. Continue. 26 19.08.2020 HACKING C# - ADAM FURMANEK

  27. Catching StackOverflowException in C# 27 19.08.2020 HACKING C# - ADAM FURMANEK

  28. Abusing type system 28 19.08.2020 HACKING C# - ADAM FURMANEK

  29. Abusing type system Methods assume parameters have correct types. Types are checked by the C# compiler and when loading the module. call/callvirt instructions do not check types. Methods do not check types. Instance is just a bunch of bytes. It has no methods associated. 29 19.08.2020 HACKING C# - ADAM FURMANEK

  30. Abusing type system 30 19.08.2020 HACKING C# - ADAM FURMANEK

  31. Serialization 31 19.08.2020 HACKING C# - ADAM FURMANEK

  32. Multiple Inheritance 32 19.08.2020 HACKING C# - ADAM FURMANEK

  33. Summary You need to remember about all platform components. You need to understand Operating System and .NET interoperability. You need to know your CPU architecture. And you need to be careful. Ultimately — it’s just a bunch of bytes. 33 19.08.2020 HACKING C# - ADAM FURMANEK

  34. Q&A 34 19.08.2020 HACKING C# - ADAM FURMANEK

  35. References Jeffrey Richter - „CLR via C#” Jeffrey Richter, Christophe Nasarre - „Windows via C/C++” Mark Russinovich, David A. Solomon, Alex Ionescu - „Windows Internals” Penny Orwick – „ Developing drivers with the Microsoft Windows Driver Foundation ” Mario Hewardt, Daniel Pravat - „Advanced Windows Debugging” Mario Hewardt - „Advanced .NET Debugging” Steven Pratschner - „ Customizing the Microsoft .NET Framework Common Language Runtime ” Serge Lidin - „Expert .NET 2.0 IL Assembler” Joel Pobar, Ted Neward — „Shared Source CLI 2.0 Internals” Adam Furmanek – „.NET Internals Cookbook” https://github.com/dotnet/coreclr/blob/master/Documentation/botr/README.md — „Book of the Runtime” https://blogs.msdn.microsoft.com/oldnewthing/ — Raymond Chen „The Old New Thing” 35 19.08.2020 HACKING C# - ADAM FURMANEK

  36. References https://blog.adamfurmanek.pl/2020/01/11/net-inside-out-part-14-calling-virtual-method-without-dynamic-dispatch/ — Calling virtual method without dynamic dispatch https://blog.adamfurmanek.pl/2018/10/06/async-wandering-part-5/ — Catching exceptions from async void https://blog.adamfurmanek.pl/2018/10/13/net-inside-out-part-9-generating-func-from-a-bunch-of-bytes-in-c-revisited/ — Generating Func from a bunch of bytes in C# revisited https://blog.adamfurmanek.pl/2017/05/27/how-to-override-sealed-function-in-c-revisited/ — How to override sealed function in C# Revisited https://blog.adamfurmanek.pl/2020/02/29/net-inside-out-part-15/ — Starting process on different desktop https://blog.adamfurmanek.pl/2017/06/03/capturing-thread-creation-to-catch-exceptions/ — Capturing thread creation to catch exceptions https://blog.adamfurmanek.pl/2018/04/07/handling-stack-overflow-exception-in-c-with-veh/ — Handling Stack Overflow Exception in C# with VEH https://blog.adamfurmanek.pl/2020/04/11/net-inside-out-part-16/ — Abusing type system https://blog.adamfurmanek.pl/2020/04/18/net-inside-out-part-17/ — Abusing types to serialize non-serializable type https://blog.adamfurmanek.pl/2016/04/30/custom-memory-allocation-in-c-part-2/ — List copying objects https://blog.adamfurmanek.pl/2019/08/10/custom-memory-allocation-in-c-part-12/ — Hiding objects from GC https://blog.adamfurmanek.pl/2019/09/14/custom-memory-allocation-in-c-part-13/ — In-place serialization 36 19.08.2020 HACKING C# - ADAM FURMANEK

  37. Thanks! CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 37 19.08.2020 HACKING C# - ADAM FURMANEK

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical? Legality VS Ethics State Sanctioned hacking BLACK HAT - Stereotypical Hacker -Stealing data for personal gain -Obviously not ethical -Using

1.17k views • 10 slides
Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking AI-Corp Hacking RL 1. Information gathering 2. Scanning 3. Exploitation & privilege escalation 4. Maintaining access & covering tracks

960 views • 62 slides
Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1 Disclaimer Everything you are about to see, hear, read and experience is for educational purposes only. No warranties or guarantees implied or

692 views • 47 slides
Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June 15, 2017 Outline Drone Architectures RF Basics Information Gathering RF Hacking Tools Exploits & Demos Q&A Why? Wrights Law

485 views • 27 slides
Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by benign purposes Hacktivism Counterhacking Case Studies Site defacement Network exploration / Port scanning / SQL injection / . . .

522 views • 18 slides
Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in)

Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in)

ECF gratefully acknowledges financial support from the European Commission. Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in) the city of Copenhagen using bicycles. Bicycle-as-a-Sensor 1.

278 views • 11 slides
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers Objectives After reading this chapter and completing the exercises, you will be able to: Describe Web applications Explain Web application

530 views • 9 slides
Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat

Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat

Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat 2011 Las Vegas, NV Presen sented ed b by: Francis Brown Rob Ragan Stach & Liu, LLC www.stachliu.com Agenda O V E R V I E W

1.07k views • 72 slides
ZIGDIGGITY ZIGBEE HACKING TOOLKIT AUGUST 7-11, 2019 http://zigdiggity.c om NEW ZIGBEE HACKING

ZIGDIGGITY ZIGBEE HACKING TOOLKIT AUGUST 7-11, 2019 http://zigdiggity.c om NEW ZIGBEE HACKING

ZIGDIGGITY ZIGBEE HACKING TOOLKIT AUGUST 7-11, 2019 http://zigdiggity.c om NEW ZIGBEE HACKING TOOLKIT FREE, OPEN-SOURCE WHAT IS ZIGDIGGITY??? + = RaspBee radio + Raspberry Pi ZigDiggity - GitHub Code http://zigdiggity.com BISHOPFOX

617 views • 23 slides
Ethical Hacking Finse 2019 Cyber Security Winter school Universitetet i Oslo Laszlo Erddi

Ethical Hacking Finse 2019 Cyber Security Winter school Universitetet i Oslo Laszlo Erddi

Ethical Hacking Finse 2019 Cyber Security Winter school Universitetet i Oslo Laszlo Erddi From Myself Associate Professor at UiO Teaching Ethical Hacking since 2012 Lecturer of the IN5290 Ethical Hacking at UiO Leader

878 views • 66 slides
Innovation through the www.linkedin.com/pulse/climate-change-healthcare-lucien- hacking

Innovation through the www.linkedin.com/pulse/climate-change-healthcare-lucien- hacking

CLIMATE CHANGE IN HELTHCARE : Driving Innovation through the www.linkedin.com/pulse/climate-change-healthcare-lucien- hacking engelen GIB DE MEDEIROS, PH.D. Digital Hospital Transformation Forum at HIC 2017 Brisbane, Australia HACKING

644 views • 27 slides
Hacking Telco equipment The HLR/HSS Laurent Ghigonis Security researcher at P1 Security Hacking

Hacking Telco equipment The HLR/HSS Laurent Ghigonis Security researcher at P1 Security Hacking

Hacking Telco equipment The HLR/HSS Laurent Ghigonis Security researcher at P1 Security Hacking Telco equipment: The HLR/HSS Laurent Ghigonis P1 Security 2014, Hackito Ergo Sum - Security Conference What are we talking about ? A mobile

724 views • 59 slides
Hacking in Popular Culture Week 2 Frank Chen | Spring 2017 Agenda Administrative Review

Hacking in Popular Culture Week 2 Frank Chen | Spring 2017 Agenda Administrative Review

Mr. Robot, an Emmy Award-winning TV drama starring a vigilante hacker CS 88S Hacking in Popular Culture Week 2 Frank Chen | Spring 2017 Agenda Administrative Review last weeks material Hack Hollywood Hacking: The Good, The

718 views • 45 slides
Hacking Russia: Inside an Hacking Russia: Inside an unprecedented prosecution of organized

Hacking Russia: Inside an Hacking Russia: Inside an unprecedented prosecution of organized

Hacking Russia: Inside an Hacking Russia: Inside an unprecedented prosecution of organized cybercrime Joseph Menn Agenda Agenda Why Russia matters (and differs from China) Why Russia matters (and differs from China) How three hackers got

557 views • 12 slides
Google Hacking against Privacy Emin Islam Tatl tatli@th.informatik.uni-mannheim.de

Google Hacking against Privacy Emin Islam Tatl tatli@th.informatik.uni-mannheim.de

Outline Google Hacking Privacy Searches Countermeasures Future Work Conclusion Google Hacking against Privacy Emin Islam Tatl tatli@th.informatik.uni-mannheim.de Department of Computer Science, University of Mannheim (on leave to the

389 views • 21 slides
Ethical Hacking Philip Robbins August 31, 2013 Information Security & Assurance Program

Ethical Hacking Philip Robbins August 31, 2013 Information Security & Assurance Program

ISA 330 Introduction to Proactive System Security Week #1 Ethical Hacking Philip Robbins August 31, 2013 Information Security & Assurance Program University of Hawai'i West Oahu 1 Ethical Hacking Topics Introductions Syllabus

1.17k views • 88 slides
Breaking the hierarchy How Spotify enables engineer decision making Kristian Lindwall, Spotify

Breaking the hierarchy How Spotify enables engineer decision making Kristian Lindwall, Spotify

Breaking the hierarchy How Spotify enables engineer decision making Kristian Lindwall, Spotify Introduction 3 Section name Our employees are our most valued resource So where does it go wrong? 6 Section name Lets do this! 7

571 views • 44 slides
Mobile Applications in Context F. Ricci 2010/2011 Content What is context Rules for

Mobile Applications in Context F. Ricci 2010/2011 Content What is context Rules for

Mobile Applications in Context F. Ricci 2010/2011 Content What is context Rules for mobile application design Application classification by usage context Top mobile applications 2010 Assignment Context Definition

140 views • 13 slides
2012 MWF Conference Thursday, Sept 6 th @ 3pm Given by: Rose Rocchio, UCLA Mojgan Amini, UCSD

2012 MWF Conference Thursday, Sept 6 th @ 3pm Given by: Rose Rocchio, UCLA Mojgan Amini, UCSD

2012 MWF Conference Thursday, Sept 6 th @ 3pm Given by: Rose Rocchio, UCLA Mojgan Amini, UCSD What is ACTI-MWF ACTI = Advanced Core Technologies Ini4a4ve Bringing leaders together to focus on

147 views • 13 slides
How to give good seminar presentations some hints Friedemann Mattern , ETH Zurich February

How to give good seminar presentations some hints Friedemann Mattern , ETH Zurich February

How to give good seminar presentations some hints Friedemann Mattern , ETH Zurich February 2014 Ubicomp Seminar Topics FS 2014 Smart Environments 0. How to give a talk 7. Vision-based systems for autonomous driving and mobile robots

742 views • 16 slides
Icinga - Open Source Monitoring 04/08/2015 WWW.ICINGA.ORG Me EXCHANGE. DEV. WIKI. BLOG. DOC. |

Icinga - Open Source Monitoring 04/08/2015 WWW.ICINGA.ORG Me EXCHANGE. DEV. WIKI. BLOG. DOC. |

SIG-NOC Meeting - Stuttgart Icinga - Open Source Monitoring 04/08/2015 WWW.ICINGA.ORG Me EXCHANGE. DEV. WIKI. BLOG. DOC. | WWW.ICINGA.ORG Michael Friedrich @dnsmichi, 31, Austrian Application Developer @NETWAYS Icinga

1.67k views • 81 slides
AIMS 2014 Session: Available Mobile and Wireless Testbed AIMS 2014 S i A il bl M bil d Wi l

AIMS 2014 Session: Available Mobile and Wireless Testbed AIMS 2014 S i A il bl M bil d Wi l

GENI: Global Environment for Network Innovations AIMS 2014 Session: Available Mobile and Wireless Testbed AIMS 2014 S i A il bl M bil d Wi l T tb d Research Infrastructure Jim Martin Jim Martin Associate Professor School of Computing

238 views • 7 slides
Mobile Governance 2012 MWF Conference Rose Rocchio, OIT, UCLA

Mobile Governance 2012 MWF Conference Rose Rocchio, OIT, UCLA

Mobile Governance 2012 MWF Conference Rose Rocchio, OIT, UCLA Jeff Rosczyk, ITS, UCSC Mobile Governance Examples Mobile Governance EvoluGon @ UCLA Mobile

731 views • 16 slides
Selection of an article While selecting the article you would like to present, keep n into

Selection of an article While selecting the article you would like to present, keep n into

Selection of an article While selecting the article you would like to present, keep n into account that: Each article is assigned to a session (date) q Articles are related to different topics q Articles require different background

690 views • 16 slides

More recommend