Entry Demonstration

Introduction

This article is the second of a two series of articles about the .NET Framework internals and the protections available for .NET assemblies. This article analyzes more in depth the .NET internals. Thus, the reader should be familiar with the past article, otherwise certain paragraphs of this article may seem obscure. As the JIT inner workings haven’t been analyzed yet, .NET protections are quite naïve nowadays. This situation will rapidly change as soon as the reverse engineering community will focus its attention on this technology. These two articles are aimed to raise the consciousness about the current state of .NET protections and what is possible to achieve but hasn’t been done yet. In particular, the past article about .NET code injection represents, let’s say, the present, whereas the current one about .NET native compiling represents the future. What I’m presenting in these two articles is new at the time I’m writing it, but I expect it to become obsolete in less than a year. Of course, this is obvious as I’m moving the first steps out from current .NET protections in the direction of better ones. But this article isn’t really about protections: exploring the .NET Framework internals can be useful for many purposes. So, talking about protections is just a means to an end.

What is Native Compiling?

Strictly speaking it means converting the MSIL code of a .NET assembly to native machine code and then removing the MSIL code from that assembly, making it impossible to decompile it in a straightforward way. The only existing tool to native compile .NET assemblies is the Salamander.NET linker which relies on native images to do its job. The “native images” (which in this article I called “Native Framework Deployment”) technique is quite distant from .NET internals: one doesn’t need a good knowledge of .NET internals to implement it. But, as the topic is, I might say, quite popular, I’m going to show to the reader how to write his Native Framework Deployment tool if he wishes to. However, the article will go further than that by introducing Native Injection, which means nothing else than taking the JIT’s place. Even though this is not useful for commercial protections (or whatever), it’s a good way to play with JIT internals. I’m also going to introduce Native Decompiling, which is the result of an understanding of .NET internals. I’m also trying to address another topic: .NET Virtual Machine Protections.

Native Images

The internal format of native images is yet undocumented. It also would be quite hard documenting it as it constantly changes. For instance, it completely changed from version 1 to version 2 of the .NET framework. And, as the new framework 3.5 SP1 has been released a few days ago, it changed another time. I’m not sure on what extent it changed in the last version, but one change can be noticed immediately. The original MetaData is now directly available without changing the entry in the .NET directory to the MetaData RVA found in the Native Header. If you do that action, you’ll end up with the native image MetaData which isn’t much interesting. Also, in earlier native images (previous to 3.5 SP1 framework) to obtain the original MSIL code of a method, one had to add the RVA found in the MethodDef table to the Original MSIL Code RVA entry in the native header. This is no longer necessary as the MethodDef RVA entry now points directly to the method’s MSIL code.

.method public hidebysig virtual instance void
B(class ['Microsoft.Licensing.Utils2.0']Microsoft.Licensing.Utils.Xml.IXmlDataNode A_0) cil managed
{
// Code size       33 (0x21)
.maxstack  8
IL_0000:  ldarg.0
IL_0001:  ldarg.1
IL_0002:  ldstr      "ps:IncludeRules"
IL_0007:  ldc.i4.1
IL_0008:  call       instance void class Microsoft1Licensing1Runtime210GE::A(class ['Microsoft.Licensing.Utils2.0']Microsoft.Licensing.Utils.Xml.IXmlDataNode,
string,
valuetype Microsoft.Licensing.CodeRules.CodeRuleType)
IL_000d:  ldarg.0
IL_000e:  ldarg.1
IL_000f:  ldstr      "ps:ExcludeRules"
IL_0014:  ldc.i4.2
IL_0015:  call       instance void class Microsoft1Licensing1Runtime210GE::A(class ['Microsoft.Licensing.Utils2.0']Microsoft.Licensing.Utils.Xml.IXmlDataNode,
string,
valuetype Microsoft.Licensing.CodeRules.CodeRuleType)
IL_001a:  ldarg.0
IL_001b:  call       instance void class Microsoft1Licensing1Runtime210GE::E()
IL_0020:  ret
} // end of method Microsoft1Licensing1Runtime210GE::B

Native Framework Deployment

The name I gave to this sort of protection may appear a bit strange, but it will appear quite obvious as soon as I have explained how it actually works. As already said, there’s no protection system other than the Salamander Linker which removes the MSIL and ships only native machine code. And, in order to do that, the Salamander Linker relies on native images generated by ngen. The Salamander Linker offers a downloadable demonstration on its home page and we will take a look at that without, of course, analyzing its code, as I don’t intend to violate any licensing terms it may imply. In this paragraph I’m going to show how it is technically quite easy to write a Native Framework Deployment tool, but I doubt that the reader will want to write one after reading this. Don’t get me wrong, the Salamander Linker absolutely holds its promise and actually removes the MSIL code from one’s application, but the method used faces many problems and in my opinion is not a real solution.

Goodbye Visual C++

Seems the new CFF Explorer will be compiled with GCC. More than one reason for that. Visual Studio 2008 doesn’t support anymore Windows 98 and NT4 without giving an explanation. The incompatibility is due to a major operating system version inside the Optional Header of the PE and to the fact that the C runtime library makes some unsupported calls. I could of course patch the whole thing and manage to make it run on those operating systems, but why should I? This is not my job. It should be Microsoft’s job to offer an alternative compiling method which provides backward compatibility. What angers me is that Microsoft not only doesn’t care about backward compatibility, they don’t even bother explaining why they had to remove the support for those operating system. The GCC (Mingw) runtime makes it possible to even compile Qt programs for Windows 98 (which is possible with VC++ 2005 too, but it forces me to use an older compiler). And, as I might not be interested so much in Windows 98, I really am interested in providing compatibility with NT4. Or, at least, if it doesn’t offer backward compatibility I want it to be for a better reason than the C runtime. I’m sick and tired of these decisions Microsoft imposes. Just like the XP support which soon will end (actually I haven’t understood if it ends this month or in April 2009). As I understood for OEMs it ends this month. Anyway, I managed to compile the CFF’s kernel with GCC and also fixed lots of errors signalled by that compiler. Another good reason to use GCC is that it’s cross platform, meaning that a port would be much easier. The only drawback of Mingw is that it has a very small (and not up-to-date) Windows SDK, but I’m not interested in that, especially for the CFF Explorer which should become 100% platform independent. At the moment I reached 97% platform independency. My only complaint is directed to the ansi C library. My goodness, you can’t do anything with the IO functions it provides. I’m grateful that they were so kind to provide 64bit support for files: fseek64, ftello64 etc. But there are lots of things missing. For instance, I am unable to truncate a file… In a normal world that would be: FILE *f = fopen(..); ftruncate(f, len);. No, that’s not possible at all in ansi C. That really bothers me, because it forces me to write platform dependent code for my basic programming interface.

EDIT: Seems the new QFile of Qt 4.4 implements the resize method for files and that would do just fine.

DisasMSIL and CFF Explorer

Today I wrote a free/open disasm engine for Microsoft’s Intermediate Language (MSIL).

http://ntcore.com/Files/disasmsil.htm

You can use it any context you wish. There are no license restrictions. The only thing I ask you to do is to send me your bug fixes (if any).

I also added the MSIL disasm engine to the CFF Explorer which is now able to disassemble the methods’ code directly from the MetaData tables.

Rebel.NET

Today I’m releasing the Rebel.NET software and its official guide.

Rebel.NET is a rebuilding tool for .NET assemblies which is capable of adding and replacing methods and streams. It’s possible to replace only a limited number of methods or every method contained in a .NET assembly. The simplicity of Rebel.NET consists in the replacing process: one can choose what to replace. Rebel.NET is, mainly, a very solid base to overcome every .NET protection and to re-create a fully decompilable .NET assembly. As such, Rebel.NET has to be considered a research project, not an encouragement to violate licensing terms.

As I have written the software and the article in this week when during my sickness (fever), I’m expecting bugs and typos. Please report them.

Of course, I’ve tested the Rebel.NET with more advanced .NET assemblies than those presented in the guide.

DynLogger

DynLogger logs all dynamically retrieved functions by reporting the module name and the requested function. It can come very handy when one wants to know a “hidden” function used by an application.

I recycled the code of a bigger project to write this little application. It’s a very small utility, but it might be of use after all. It was tested on XP and Vista, both x86 and x64. It works for .NET application as well. Just start the logging process, the log will be saved after you quit the monitored application.