Wednesday 30 September 17:00 - 17:30, Green room
Marcin Hartung (ESET)
download slides (PDF)
Nowadays, .NET samples are increasingly common, necessitating specialized techniques for processing and analysis, especially when obfuscation is used: .NET packers have many tricks up their sleeves, but fortunately we do too.
A skilled researcher can often glance inside 'good old-fashioned' native executables and see what they do despite protection with strong packers. However, .NET files are different.
Analysing clean .NET files with dedicated tools shows us almost everything, but if the file is obfuscated we sometimes see nothing at all. In .NET analysis we face one main obstacle — complex runtime technology which introduces some level of abstraction and therefore makes debugging harder.
This paper combines analysis of methods collected from various sources with techniques originating with the author's own experience, in order to improve sample management. It describes simple tricks for getting strings after packer decryption or logging APIs used as well as some more sophisticated examples.
All the problems addressed relate to real cases often encountered in the context of commercial packers or of custom protectors used by malware.
Such tricks can be used for single analyses for adding breakpoints in locations of interest or as building blocks for constructing a powerful tool for analysing .NET samples.
Marcin Hartung is a programmer in the Software Protectors Analysis & Unpacking Team at ESET. He has been working with packers for a few years, focusing on .NET recently. A couple of years ago he was working at the university in the electronics & telecommunications area, during which time he co-authored a few papers. He also delivered some lectures on security at the university associated with ESET.