Reversecodeengineeringof.NET.pdf

(1533 KB) Pobierz
Reverse code engineering of .NET
applications
Shukhrat Nekbaev
Supervised by
Dr. Simo Juvaste
Master’s thesis.
August 12, 2013
School of Computing
University of Eastern Finland, Joensuu, Finland.
Acknowledgements
First of all I would like to thank my family for all their support and understanding.
Special thanks to Jussi Parkkinen and everyone related to IMPIT program for the
opportunity to study at the UEF.
In particular, I would like to thank my thesis supervisor Dr. Simo Juvaste for
the fantastic “Parallel programming” course whose mind-intensive homeworks caused
sleepless nights for many students and, without a doubt, it was worth it.
Special thanks to Daniel Pistelli
1
, an author of several articles and tools used in
this research, who kindly agreed to proofread it.
Thanks to all my friends for their valuable comments and for just being around
when needed. Last but not least, huge thanks to George Carlin
2
, a brilliant stand-up
comedian who has influenced my view of life.
1
2
http://www.ntcore.com
http://en.wikipedia.org/wiki/George Carlin
Abstract
This work is a research into the reverse code engineering of .NET applications in
which the operational principles of the .NET Framework are analyzed. It is based on
studying the changes introduced to the structure of the Windows Portable Executable
file format (PE) in order to accommodate .NET specific requirements. Moreover, the
thesis presents information about the .NET application execution process and its
runtime handling, and points out the differences in the protection schemes between
unmanaged and managed applications.
The study provides insight into some of the most popular .NET application reverse
engineering methods and common protection schemes applicable to the .NET. A
concrete commercial application was selected for the conclusive part of the practical
chapter. This is due it being protected by an interesting, yet powerful and heavily
obfuscated virtual machine based code protector. What’s more, no information on
its analysis was available on the Internet at the time of writing.
Furthermore, an example of an attack during runtime is shown and the potential
benefits of such an attack are evaluated. Lastly, the advantages of attacking the .NET
Framework itself are considered.
Keywords:
reverse code engineering, .NET Framework, protection analysis, disas-
sembly, decompilation, static analysis, debugging, code protection, intellectual prop-
erty
DISCLAIMER
THE INFORMATION PROVIDED IN THIS WORK IS FOR EDUCA-
TIONAL PURPOSES ONLY. THE USE OF THIS MATERIAL FOR
ANY AND ALL ILLEGAL PURPOSES IS STRICTLY PROHIBITED
AND THE MATERIAL ITSELF IS NOT BE TREATED AS A SOURCE
OF INSPIRATION FOR SUCH ACTIVITIES. IT CANNOT BE USED
TO INITIATE LEGAL PROCEEDINGS AGAINST THE AUTHOR HIM-
SELF AND/OR AUTHORS REFERENCED THROUGHOUT THE MA-
TERIAL. THE READER HEREBY AGREES TO HAVE A NEUTRAL
OPINION ON THE SUBJECT.
Contents
Abstract
Disclaimer
List of figures
List of abbreviations
Introduction
1.1 The topic . . . . . . . . . . . .
1.2 Motivation behind the topic and
1.3 Scope of the thesis . . . . . . .
1.4 Structure of the thesis . . . . .
i
i
iv
v
1
1
2
3
4
5
5
6
8
9
11
13
15
16
17
21
23
26
. . . . . . . . . . . . . . .
thesis problem statement
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
2 Background
2.1 Java exists already, why use .NET? . . . . .
2.2 .NET Framework structure . . . . . . . . . .
2.3 From source code to executable binary . . .
2.3.1 .NET Assembly . . . . . . . . . . . .
2.3.2 Physical layout of internal structures
2.3.3 CLR’s perspective . . . . . . . . . .
2.4 .NET application execution . . . . . . . . .
2.4.1 Execution: step one . . . . . . . . . .
2.4.2 Execution: step two . . . . . . . . .
2.5 Execution security . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
3 Practical part
3.1 Part 1: Common RCE techniques applicable to .NET . . . . . . . . .
ii

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika:

Zgłoś jeśli naruszono regulamin