hacking c
play

Hacking C# CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL - PowerPoint PPT Presentation

Mar 15, 2024 •110 likes •481 views

Hacking C# CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1 19.08.2020 HACKING C# - ADAM FURMANEK About me Experienced with backend, frontend, mobile, desktop, ML, databases. Blogger, public speaker. Author of .NET

  1. Hacking C# CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1 19.08.2020 HACKING C# - ADAM FURMANEK

  2. About me Experienced with backend, frontend, mobile, desktop, ML, databases. Blogger, public speaker. Author of .NET Internals Cookbook. http://blog.adamfurmanek.pl contact@adamfurmanek.pl furmanekadam 2 19.08.2020 HACKING C# - ADAM FURMANEK

  3. You always show how to use machine code and other hacks to (…) but you could just show how all these hacks work. KEVIN GOSSE 3 19.08.2020 HACKING C# - ADAM FURMANEK

  4. Agenda Avoiding dynamic dispatch. Awaiting async void methods. Running machine code from a byte array. ◦ Hijacking methods. ◦ Running things on other desktops. ◦ Catching unhandled exceptions. ◦ Catching SOE. Abusing type system. ◦ Serializing non-serializable type. ◦ Implementing multiple inheritance. 4 19.08.2020 HACKING C# - ADAM FURMANEK

  5. Avoiding dynamic dispatch 5 19.08.2020 HACKING C# - ADAM FURMANEK

  6. Dynamic Dispatch 6 19.08.2020 HACKING C# - ADAM FURMANEK

  7. IL CALL CALLVIRT The call instruction calls the method indicated The callvirt instruction calls a late-bound by the method descriptor passed with the method on an object. That is, the method is instruction . The method descriptor is a chosen based on the runtime type of obj metadata token that indicates the method to rather than the compile-time class visible in call and the number, type, and order of the the method pointer. arguments that have been placed on the stack Callvirt can be used to call both virtual and to be passed to that method as well as the instance methods. calling convention to be used. 7 19.08.2020 HACKING C# - ADAM FURMANEK

  8. Dispatch 8 19.08.2020 HACKING C# - ADAM FURMANEK

  9. Awaiting async void methods 9 19.08.2020 HACKING C# - ADAM FURMANEK

  10. Awaiting async void We cannot do it directly as method returns nothing. We need to implement custom synchronization context. To handle exceptions we need to write custom task scheduler. 10 19.08.2020 HACKING C# - ADAM FURMANEK

  11. await async void 11 19.08.2020 HACKING C# - ADAM FURMANEK

  12. Catch exceptions in async void 12 19.08.2020 HACKING C# - ADAM FURMANEK

  13. Running machine code from a byte array 13 19.08.2020 HACKING C# - ADAM FURMANEK

  14. Function Typically is JIT-compiled but can be pregenerated (ngen or ready-to-run). Must have a machine code (or multiple of them). Has specific calling convention (parameters via registers + via stack). Has metadata represented via Method Descriptor (or handle). 14 19.08.2020 HACKING C# - ADAM FURMANEK

  15. Machine code Is NOT an assembly code — one assembly mnemonic represents many machine instructions. Cannot be easily read backwards in x86 — instructions have different lengths. Needs to adhere to the endianess. Is not different from data — it’s always a bunch of bytes. Must adhere to memory page permissions (page must be executable). 15 19.08.2020 HACKING C# - ADAM FURMANEK

  16. Machine code https://defuse.ca/online-x86-assembler.htm Useful page for disassembling the code. 16 19.08.2020 HACKING C# - ADAM FURMANEK

  17. Marshal.GetDelegateForFunctionPointer Converts an unmanaged function pointer to a delegate. ptr is converted to a delegate that invokes the unmanaged method using the __stdcall calling convention on Windows, or the __cdecl calling convention on Linux and macOS. 17 19.08.2020 HACKING C# - ADAM FURMANEK

  18. Jump We can take existing machine code and modify in place. Then we can jump anywhere. Jumps are relative — they jump „by” offset. Jump 123 means jump 123 bytes forward. To do an absolute jump we can use push + ret trick. 18 19.08.2020 HACKING C# - ADAM FURMANEK

  19. ByteToFunc 19 19.08.2020 HACKING C# - ADAM FURMANEK

  20. Method hijacking 20 19.08.2020 HACKING C# - ADAM FURMANEK

  21. Desktop hack 21 19.08.2020 HACKING C# - ADAM FURMANEK

  22. Exceptions in other threads Unhandled exception kills the application in most cases. If it happens on a thread pool it is held until awaiting and then propagated if possible (thrown out of band for async void ). Catching unhandled exception with AppDomain.CurrentDomain.UnhandledException doesn’t stop the application from terminating. ThreadAbortException or AppDomainUnloadedException do not kill the application. In .NET 1 it was different: ◦ Exception on a thread pool was printed to the console and the thread was returned to the pool. ◦ Exception in other thread was printed to the console and the thread was terminated. ◦ Exception on the finalizer was printed to the console and finalizer was still working. ◦ Exception on the main thread resulted in application termination. 22 19.08.2020 HACKING C# - ADAM FURMANEK

  23. Hijacking thread creation 23 19.08.2020 HACKING C# - ADAM FURMANEK

  24. Catching with shim 24 19.08.2020 HACKING C# - ADAM FURMANEK

  25. Catching with shim 25 19.08.2020 HACKING C# - ADAM FURMANEK

  26. Catching StackOverflowException in C# 1. Generate machine code on the fly. 2. Register VEH handler with P/Invoke. 3. Use „SetJump LongJump” like approach: 1. Store registers. 2. Call method generating SOE. 3. Restore registers in VEH handler. 4. Rely on VEH mechanism to perform the jump. 4. Continue. 26 19.08.2020 HACKING C# - ADAM FURMANEK

  27. Catching StackOverflowException in C# 27 19.08.2020 HACKING C# - ADAM FURMANEK

  28. Abusing type system 28 19.08.2020 HACKING C# - ADAM FURMANEK

  29. Abusing type system Methods assume parameters have correct types. Types are checked by the C# compiler and when loading the module. call/callvirt instructions do not check types. Methods do not check types. Instance is just a bunch of bytes. It has no methods associated. 29 19.08.2020 HACKING C# - ADAM FURMANEK

  30. Abusing type system 30 19.08.2020 HACKING C# - ADAM FURMANEK

  31. Serialization 31 19.08.2020 HACKING C# - ADAM FURMANEK

  32. Multiple Inheritance 32 19.08.2020 HACKING C# - ADAM FURMANEK

  33. Summary You need to remember about all platform components. You need to understand Operating System and .NET interoperability. You need to know your CPU architecture. And you need to be careful. Ultimately — it’s just a bunch of bytes. 33 19.08.2020 HACKING C# - ADAM FURMANEK

  34. Q&A 34 19.08.2020 HACKING C# - ADAM FURMANEK

  35. References Jeffrey Richter - „CLR via C#” Jeffrey Richter, Christophe Nasarre - „Windows via C/C++” Mark Russinovich, David A. Solomon, Alex Ionescu - „Windows Internals” Penny Orwick – „ Developing drivers with the Microsoft Windows Driver Foundation ” Mario Hewardt, Daniel Pravat - „Advanced Windows Debugging” Mario Hewardt - „Advanced .NET Debugging” Steven Pratschner - „ Customizing the Microsoft .NET Framework Common Language Runtime ” Serge Lidin - „Expert .NET 2.0 IL Assembler” Joel Pobar, Ted Neward — „Shared Source CLI 2.0 Internals” Adam Furmanek – „.NET Internals Cookbook” https://github.com/dotnet/coreclr/blob/master/Documentation/botr/README.md — „Book of the Runtime” https://blogs.msdn.microsoft.com/oldnewthing/ — Raymond Chen „The Old New Thing” 35 19.08.2020 HACKING C# - ADAM FURMANEK

  36. References https://blog.adamfurmanek.pl/2020/01/11/net-inside-out-part-14-calling-virtual-method-without-dynamic-dispatch/ — Calling virtual method without dynamic dispatch https://blog.adamfurmanek.pl/2018/10/06/async-wandering-part-5/ — Catching exceptions from async void https://blog.adamfurmanek.pl/2018/10/13/net-inside-out-part-9-generating-func-from-a-bunch-of-bytes-in-c-revisited/ — Generating Func from a bunch of bytes in C# revisited https://blog.adamfurmanek.pl/2017/05/27/how-to-override-sealed-function-in-c-revisited/ — How to override sealed function in C# Revisited https://blog.adamfurmanek.pl/2020/02/29/net-inside-out-part-15/ — Starting process on different desktop https://blog.adamfurmanek.pl/2017/06/03/capturing-thread-creation-to-catch-exceptions/ — Capturing thread creation to catch exceptions https://blog.adamfurmanek.pl/2018/04/07/handling-stack-overflow-exception-in-c-with-veh/ — Handling Stack Overflow Exception in C# with VEH https://blog.adamfurmanek.pl/2020/04/11/net-inside-out-part-16/ — Abusing type system https://blog.adamfurmanek.pl/2020/04/18/net-inside-out-part-17/ — Abusing types to serialize non-serializable type https://blog.adamfurmanek.pl/2016/04/30/custom-memory-allocation-in-c-part-2/ — List copying objects https://blog.adamfurmanek.pl/2019/08/10/custom-memory-allocation-in-c-part-12/ — Hiding objects from GC https://blog.adamfurmanek.pl/2019/09/14/custom-memory-allocation-in-c-part-13/ — In-place serialization 36 19.08.2020 HACKING C# - ADAM FURMANEK

  37. Thanks! CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 37 19.08.2020 HACKING C# - ADAM FURMANEK

Recommend

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical? Legality VS Ethics State Sanctioned hacking BLACK HAT - Stereotypical Hacker -Stealing data for personal gain -Obviously not ethical -Using

1.17k views • 10 slides
Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking AI-Corp Hacking RL 1. Information gathering 2. Scanning 3. Exploitation & privilege escalation 4. Maintaining access & covering tracks

960 views • 62 slides
Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1 Disclaimer Everything you are about to see, hear, read and experience is for educational purposes only. No warranties or guarantees implied or

692 views • 47 slides
Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June 15, 2017 Outline Drone Architectures RF Basics Information Gathering RF Hacking Tools Exploits & Demos Q&A Why? Wrights Law

488 views • 27 slides
Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by benign purposes Hacktivism Counterhacking Case Studies Site defacement Network exploration / Port scanning / SQL injection / . . .

522 views • 18 slides
Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in)

Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in)

ECF gratefully acknowledges financial support from the European Commission. Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in) the city of Copenhagen using bicycles. Bicycle-as-a-Sensor 1.

278 views • 11 slides
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers Objectives After reading this chapter and completing the exercises, you will be able to: Describe Web applications Explain Web application

530 views • 9 slides
Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat

Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat

Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat 2011 Las Vegas, NV Presen sented ed b by: Francis Brown Rob Ragan Stach & Liu, LLC www.stachliu.com Agenda O V E R V I E W

1.07k views • 72 slides
ZIGDIGGITY ZIGBEE HACKING TOOLKIT AUGUST 7-11, 2019 http://zigdiggity.c om NEW ZIGBEE HACKING

ZIGDIGGITY ZIGBEE HACKING TOOLKIT AUGUST 7-11, 2019 http://zigdiggity.c om NEW ZIGBEE HACKING

ZIGDIGGITY ZIGBEE HACKING TOOLKIT AUGUST 7-11, 2019 http://zigdiggity.c om NEW ZIGBEE HACKING TOOLKIT FREE, OPEN-SOURCE WHAT IS ZIGDIGGITY??? + = RaspBee radio + Raspberry Pi ZigDiggity - GitHub Code http://zigdiggity.com BISHOPFOX

617 views • 23 slides
Ethical Hacking Finse 2019 Cyber Security Winter school Universitetet i Oslo Laszlo Erddi

Ethical Hacking Finse 2019 Cyber Security Winter school Universitetet i Oslo Laszlo Erddi

Ethical Hacking Finse 2019 Cyber Security Winter school Universitetet i Oslo Laszlo Erddi From Myself Associate Professor at UiO Teaching Ethical Hacking since 2012 Lecturer of the IN5290 Ethical Hacking at UiO Leader

879 views • 66 slides
Innovation through the www.linkedin.com/pulse/climate-change-healthcare-lucien- hacking

Innovation through the www.linkedin.com/pulse/climate-change-healthcare-lucien- hacking

CLIMATE CHANGE IN HELTHCARE : Driving Innovation through the www.linkedin.com/pulse/climate-change-healthcare-lucien- hacking engelen GIB DE MEDEIROS, PH.D. Digital Hospital Transformation Forum at HIC 2017 Brisbane, Australia HACKING

644 views • 27 slides
Hacking Telco equipment The HLR/HSS Laurent Ghigonis Security researcher at P1 Security Hacking

Hacking Telco equipment The HLR/HSS Laurent Ghigonis Security researcher at P1 Security Hacking

Hacking Telco equipment The HLR/HSS Laurent Ghigonis Security researcher at P1 Security Hacking Telco equipment: The HLR/HSS Laurent Ghigonis P1 Security 2014, Hackito Ergo Sum - Security Conference What are we talking about ? A mobile

724 views • 59 slides
Hacking in Popular Culture Week 2 Frank Chen | Spring 2017 Agenda Administrative Review

Hacking in Popular Culture Week 2 Frank Chen | Spring 2017 Agenda Administrative Review

Mr. Robot, an Emmy Award-winning TV drama starring a vigilante hacker CS 88S Hacking in Popular Culture Week 2 Frank Chen | Spring 2017 Agenda Administrative Review last weeks material Hack Hollywood Hacking: The Good, The

718 views • 45 slides
Hacking Russia: Inside an Hacking Russia: Inside an unprecedented prosecution of organized

Hacking Russia: Inside an Hacking Russia: Inside an unprecedented prosecution of organized

Hacking Russia: Inside an Hacking Russia: Inside an unprecedented prosecution of organized cybercrime Joseph Menn Agenda Agenda Why Russia matters (and differs from China) Why Russia matters (and differs from China) How three hackers got

557 views • 12 slides
Google Hacking against Privacy Emin Islam Tatl tatli@th.informatik.uni-mannheim.de

Google Hacking against Privacy Emin Islam Tatl tatli@th.informatik.uni-mannheim.de

Outline Google Hacking Privacy Searches Countermeasures Future Work Conclusion Google Hacking against Privacy Emin Islam Tatl tatli@th.informatik.uni-mannheim.de Department of Computer Science, University of Mannheim (on leave to the

389 views • 21 slides
Ethical Hacking Philip Robbins August 31, 2013 Information Security & Assurance Program

Ethical Hacking Philip Robbins August 31, 2013 Information Security & Assurance Program

ISA 330 Introduction to Proactive System Security Week #1 Ethical Hacking Philip Robbins August 31, 2013 Information Security & Assurance Program University of Hawai'i West Oahu 1 Ethical Hacking Topics Introductions Syllabus

1.17k views • 88 slides
Novel Hardware-based Attacks Jason Zheng Aditya Joshi Introduction Direct hardware hacking is

Novel Hardware-based Attacks Jason Zheng Aditya Joshi Introduction Direct hardware hacking is

Novel Hardware-based Attacks Jason Zheng Aditya Joshi Introduction Direct hardware hacking is as old as the trade of hacking Common Characteristics: Physical access (at least within transmission range of EM/Accoustic signals). Seemingly

252 views • 22 slides
Hacking Magento: Creating an HTML5 Canvas Customizer on Magento Bundles Phillip Jackson

Hacking Magento: Creating an HTML5 Canvas Customizer on Magento Bundles Phillip Jackson

Hacking Magento: Creating an HTML5 Canvas Customizer on Magento Bundles Phillip Jackson @philwinkle Lead Magento Architect Something Digital NEW Hacking Magento Hacker: 1. who makes innovative customizations or combinations of

850 views • 62 slides
Horror on Horr Horr Horror on or on the b or on the b the bus the bus Hacking COMBUS in a

Horror on Horr Horr Horror on or on the b or on the b the bus the bus Hacking COMBUS in a

Horror on Horr Horr Horror on or on the b or on the b the bus the bus Hacking COMBUS in a Hacking combus in a Paradox security system Paradox security system Hackfest Decade Quebec, Canada Author Lead researcher at Possible

517 views • 36 slides
ANALYZING AN OFF-THE-SHELF SURVEILLANCE SOFTWARE HACKING TEAM CASE STUDY Friday 2 nd June, 2017

ANALYZING AN OFF-THE-SHELF SURVEILLANCE SOFTWARE HACKING TEAM CASE STUDY Friday 2 nd June, 2017

ANALYZING AN OFF-THE-SHELF SURVEILLANCE SOFTWARE HACKING TEAM CASE STUDY Friday 2 nd June, 2017 Stanislav paek Pavel eleda, Martin Draar, Martin Vizvry Introduction Hacking Team Story Began as a security services provider in 2003

324 views • 17 slides
Hacking 101: Hacking 101: Understanding the Top Web Application Understanding the Top Web

Hacking 101: Hacking 101: Understanding the Top Web Application Understanding the Top Web

San Francisco Chapter San Francisco Chapter Hacking 101: Hacking 101: Understanding the Top Web Application Understanding the Top Web Application Vulnerabilities and How to Protect Vulnerabilities and How to Protect Against the Next Level

1.53k views • 136 slides
Hacking PostgreSQL Stephen Frost Crunchy Data stephen@crunchydata.com PGConf.EU 2018 October

Hacking PostgreSQL Stephen Frost Crunchy Data stephen@crunchydata.com PGConf.EU 2018 October

Hacking PostgreSQL Stephen Frost Crunchy Data stephen@crunchydata.com PGConf.EU 2018 October 24, 2018 PostgreSQL Source Code Hacking PostgreSQL Final Code PostgreSQL Subsystems Hacking the PostgreSQL Way Stephen Frost Chief Technology

1.12k views • 36 slides
Hacking PostgreSQL Stephen Frost Crunchy Data stephen@crunchydata.com FOSDEM 2019 February 3,

Hacking PostgreSQL Stephen Frost Crunchy Data stephen@crunchydata.com FOSDEM 2019 February 3,

Hacking PostgreSQL Stephen Frost Crunchy Data stephen@crunchydata.com FOSDEM 2019 February 3, 2019 PostgreSQL Source Code Hacking PostgreSQL Final Code PostgreSQL Subsystems Hacking the PostgreSQL Way Stephen Frost Chief Technology

783 views • 37 slides
How reversing the COMBUS protocol resulted in breaking security Hacking COMBUS in a of a

How reversing the COMBUS protocol resulted in breaking security Hacking COMBUS in a of a

How reversing the COMBUS protocol resulted in breaking security Hacking COMBUS in a of a security system Paradox security system 16.11.2018. IT-SECX 2018, Austria Author Lead researcher at Possible Security, Latvia Hacking and

700 views • 29 slides

More recommend