This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Rooting The CLR

From OWASP
Revision as of 15:44, 18 April 2009 by KirstenS (talk | contribs) (Rooting the CLR presentation - London DotNet User Group 22nd March)

Jump to: navigation, search

[draft page, there is still tons of information to add here]

Rooting the CLR presentation - London DotNet User Group 22nd March

Mp3 of presentation:


Description:

In this presentation Dinis Cruz will show how the .Net Framework can be modified in real-time using Rootkit-like techniques. This is possible due to the fundamental security design flaw within the .Net framework where the entire Framework (i.e. all dlls) are loaded into the .Net process. This creates a scenario where there is nothing stopping a malicious Full Trust .Net assembly or unmanaged code executed in that process to 'patch' the CLR itself. Demos include:

  • CLR patch that allows calls to private methods to succeed
  • CLR patch that allows corrupted Strong Named assemblies to be executed (i.e. ILDASM a signed .Net assembly, change it, ILASM it back into .exe format, and execute it without any exception been thrown)
  • Load core .Net framework dlls that come from directories under my control (for example c:\fusion.dll)
  • MSIL Patch on all Deny and Demand methods so that they always return without any exception being thrown, which disables most CAS protections in the running assembly (the only caveat with this demo is that the 'MSIL patch' must be applied before those methods are JITED)
  • Extra demo: Unpathed ILDASM / ILASM buffer overflow