<![CDATA[Latest posts for the topic "[Paper] .NET Framework Rootkits - Backdoors inside your Framework"]]> /hvaonline/posts/list/36.html JForum - http://www.jforum.net [Paper] .NET Framework Rootkits - Backdoors inside your Framework Erez Metula Tài liệu này bao gồm nhiều cách để hình thành rootkits cho framework .NET để tạo điều kiện cho các EXE/DLL có thể chạy trên một framework đã được biến cải, từ đó có thái độ khác với điều kiện bình thường. Quy trình "code reviews" sẽ không phát hiện được backdoors đã được cài bên trong framework bởi vì "payload" không nằm trong code mà lại nằm trong ứng dụng trên framework. Viết framework rootkits sẽ cho phép kẻ tấn công cài "reverse shell" bên trong framework để đánh cắp thông tin nhạy cảm, để trói các chìa khóa mã hóa, vô hiệu hóa các bước kiểm tra bảo mật và thực hiện các hành động nguy hiểm khác. - http://www.applicationsecurity.co.il/LinkClick.aspx?fileticket=wkKIknI%2btog%3d&tabid=161&mid=555. - http://www.applicationsecurity.co.il/LinkClick.aspx?fileticket=lJCfE83LS%2f8%3d&tabid=161&mid=555. - http://www.applicationsecurity.co.il/LinkClick.aspx?fileticket=Yq0PeSqeyBo%3d&tabid=161&mid=555. - http://www.applicationsecurity.co.il/LinkClick.aspx?fileticket=NyFyPgX0reg%3d&tabid=161&mid=555 (power point). - http://www.applicationsecurity.co.il/LinkClick.aspx?fileticket=ycIS1bewMBI%3d&tabid=161&mid=555 (pdf).]]> /hvaonline/posts/list/26233.html#159179 /hvaonline/posts/list/26233.html#159179 GMT Re: [Paper] .NET Framework Rootkits - Backdoors inside your Framework /hvaonline/posts/list/26233.html#159201 /hvaonline/posts/list/26233.html#159201 GMT Re: [Paper] .NET Framework Rootkits - Backdoors inside your Framework http://www.blackhat.com/html/bh-europe-09/bh-eu-09-speakers.html
Erez Metula .NET Framework Rootkits: Backdoors inside your Framework This presentation introduces application level rootkit attacks on managed code environments, enabling an attacker to change the language runtime implementation, and to hide malicious code inside its core. This presentation focuses on the .NET Framework, while covering various ways to develop malware (rootkits,backdoors,logic manipulation, etc.) for the .NET framework, by changing its behavior. It includes demos of information logging, reverse shells, backdoors, encryption keys fixation, and other nasty things. This presentation also introduces ".Net-Sploit" - a new tool for building MSIL malware that will enable the user to inject preloaded/custom payload to the Framework core DLL. The Whitepaper, .NET-Sploit, and source code can be found here
Erez Metula is a senior application security consultant, working as the application security department manager at 2BSecure. He has extensive hands-on experience performing security assessments, secure development consulting & training for clients in Israel and abroad such as banks, financial organizations, military, software development companies, telecom, and more. Erez is also a leading instructor for many information security training, especially on secure software development methodologies & techniques. He had lectured on advanced .NET security (and other development platforms) for worldwide organizations and is constant speaker for conferences such as Microsoft .NET Security User Group, OWASP (Open Web Application Security Project), and more. He holds a CISSP certification and is toward graduation of Msc in computer science.  
 
]]>
/hvaonline/posts/list/26233.html#172921 /hvaonline/posts/list/26233.html#172921 GMT
Re: [Paper] .NET Framework Rootkits - Backdoors inside your Framework Another approach was taken, revealed during this research It was found out that the signature is used just to map to the correct directory name on the GAC the SN mechanism does not check the actual signature of a loaded DLL but just looks for a DLL inside a directory with this signature name !   Trong White Paper
Upon request for this DLL from other executables running inside the framework, the framework will search for the required DLL based on his version and signature. The framework will not check for the actual signature but instead will rely on the signature mentioned in the directory file name.  
Mình cũng sẽ nghiên cứu lại vấn đề này để chắc chắn và viết tool exploit riêng vì tool đi kèm không hoạt động trên máy mình rùi. ]]>
/hvaonline/posts/list/26233.html#172995 /hvaonline/posts/list/26233.html#172995 GMT
Re: [Paper] .NET Framework Rootkits - Backdoors inside your Framework /hvaonline/posts/list/26233.html#173067 /hvaonline/posts/list/26233.html#173067 GMT Re: [Paper] .NET Framework Rootkits - Backdoors inside your Framework /hvaonline/posts/list/26233.html#173069 /hvaonline/posts/list/26233.html#173069 GMT