dot net
TRANSCRIPT
![Page 1: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/1.jpg)
1
.NET
Matthew ConoverMay 2002
![Page 2: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/2.jpg)
2
What is .NET?• .NET = dumb name• .NET is a framework• .NET is OS and platform
independent• .NET is language-insensitive• .NET specs are publicly available
![Page 3: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/3.jpg)
3
Topics of Discussion• Introduction to .NET• Assemblies and Metadata• Microsoft’s implementation of .NET• .NET Hook Library
(dotNetHookLibrary)
![Page 4: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/4.jpg)
4
Introduction to .NET• .NET Specifications
– Partition I – Architecture– Partition II – Metadata– Partition III – Common Intermediate Language– Partition IV – Library– Partition V – Annexes– Class Library (XML specification)
![Page 5: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/5.jpg)
5
Introduction to .NET• Base Class Library (BCL)
– Shared among all languages• Common Language Runtime (CLR)
– Hosts managed code
![Page 6: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/6.jpg)
6
Introduction to .NETBase Class Library
• Similar to Java’s System namespace.
• Used by all .NET applications• Has classes for IO, threading,
database, text, graphics, console, sockets/web/mail, security, cryptography, COM, run-time type discovery/invocation, assembly generation
![Page 7: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/7.jpg)
7
Introduction to .NET• Common Language Runtime (CLR)
– Common Type System (CTS)– Execution Engine (EE)
![Page 8: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/8.jpg)
8
Introduction to .NETCommon Language
Runtime• Common Type System
– Specifies certain types required to be hosted by CLR
– Specifies rules for class, struct, enums, interface, delegate, etc.
– Everything is actually an object
![Page 9: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/9.jpg)
9
Introduction to .NETCommon Language
Runtime• Execution Engine
– Compiles Microsoft Intermediate Language (MSIL) into native code
– Handles garbage collection– Handles exceptions– Enforces code access security (sandbox)– Handles verification
• Managed v. Unmanaged
![Page 10: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/10.jpg)
10
Introduction to .NET
BCL
Assembly
Class Loader
JIT
Machine Code
External Assembly
CLR
![Page 11: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/11.jpg)
11
Assemblies• .NET Library/Executable (PE file
format)• Single-file or multi-file assemblies• Modular design
– Eliminates DLL problems– Locations resolved at runtime
• Components:– Metadata– MSIL (or native) code
![Page 12: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/12.jpg)
12
AssembliesPhysical Layout
MSDOS Header
PE Section Headers
PE Header
Includes .NET Header
Code section
Data section
Relocations section
.text (includes Metadata)
.rsrc or .data
.reloc or .rdata
Single-file Assembly
![Page 13: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/13.jpg)
13
Assemblies• .NET Executable (PE file format)• Single-file or multi-file assemblies• Modular design• Components:
– Metadata– MSIL (or native) code
![Page 14: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/14.jpg)
14
AssembliesMetadata
• Contains all .NET application data• Very revealing!
– Needed for MSIL compilation– Assembly can be converted to native format
• Streams or heaps (sections of related data)
![Page 15: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/15.jpg)
15
AssembliesMetadata
Signature, Version, Flags
Stream count (n)Metadata Header
Data offset
Stream size
Name (variable length)
Stream Header 1
Stream bodies 1-n
Stream Header n…
…
![Page 16: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/16.jpg)
16
Assemblies Streams
• #Strings (a.k.a. strings heap)– Array of strings
• #US (a.k.a. user strings heap)– Array of strings used by application at runtime
• #GUID– Array of GUIDs (16 bytes each)
• #Blob– Contains compressed binary data
• #- or #~– Contains tables of methods, fields, etc.
![Page 17: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/17.jpg)
17
Assemblies#~ and #- Stream
Version
Heap sizes
Valid tables (n)
…
Tables Header
Table row count Valid Table 1
Valid Table n
… Tables 1-n
![Page 18: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/18.jpg)
18
AssembliesTables in #~/#- Stream
• In a predefined order– MethodDef = table 6– Param table = table 8
• Each table contains specific types– MethodDef = method definitions– TypeDef = type definitions– AssemblyRef = assemblies references
• Tables interact with each other• Tables interact with certain heaps
![Page 19: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/19.jpg)
19
AssembliesSample - MethodDef Table
Relative Virtual Address (RVA)
Implementation flags
Method flags
Method name offset In #Strings
Method signature offset
Parameters index
In #Blob
In Param table
Offset to method
![Page 20: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/20.jpg)
20
AssembliesSample - MethodDef Table
Flags
Sequence number
Parameter name offset In #Strings
Flags
Parameter count
Return type
Parameter types
Method Signature Blob
Param Table
![Page 21: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/21.jpg)
21
AssembliesSample - func(int arg)
funcMethodDef
…
Paramarg
#Strings
#Blob
“func”“arg”
func method signature
arg type signature
…
…
…
![Page 22: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/22.jpg)
22
Assemblies• .NET Executable (PE file format)• Single-file or multi-file assemblies• Components:
– Metadata– MSIL (or native) code
![Page 23: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/23.jpg)
23
AssembliesMSIL
• Pseudo-assembly– Converted into native code– Object “aware” intermediate language– Examples: nop, break, ret, call, callvirt,
newobj, newarr, add, mul, xor, arglist, sizeof, throw, catch, dup
• Supports up to 512 opcodes– 0xFE = first byte of two byte opcodes
• All calls are stack-based
![Page 24: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/24.jpg)
24
AssembliesCall Stack
1
Stack topthis pointer
2
ldc.i4.1
ldc.i4.2
call ClassType::func(Int32, Int32)
`
Left-to-right ordering
ClassType a;
a.func(1, 2)
C# MSIL
![Page 25: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/25.jpg)
25
Assemblies• Sample IL
![Page 26: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/26.jpg)
26
AssembliesMSIL
ldc.i4.s 9
call Print(Int32)MSIL
Assembler0x1f 0x09
0x28 0x06000006
Method token
• Uses “tokens” instead of pointers
![Page 27: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/27.jpg)
27
AssembliesTokens
• A replacement for pointers • References a row in a table
Token
Table Number Row Index
Upper 8 bits Lower 24 bits
![Page 28: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/28.jpg)
28
AssembliesMSIL Samples
• ld = load on stack, st = store from stack• stloc
– Stores a value from the stack into local variable
• ldarg– Puts an argument on the stack
• ldelem– Puts the value of an element on the stack
![Page 29: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/29.jpg)
29
Microsoft’s .NET Implementation
• File locations• System libraries• .NET application flow
![Page 30: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/30.jpg)
30
Microsoft’s .NET ImplementationFile Locations
• Framework: %SystemRoot%\Microsoft.NET
• Global Assembly Cache (GAC): %SystemRoot%\Assembly +– \GAC– \NativeImages*
![Page 31: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/31.jpg)
31
Microsoft’s .NET Implementation
• File locations• System libraries• .NET application flow
![Page 32: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/32.jpg)
32
Microsoft’s .NET Implementation System Libraries
• mscoree.dll (execution engine)• mscorwks.dll (does most
initialization)• mscorjit.dll (contains JIT)• mscorlib.dll (BCL)• fusion.dll (assembly binding)
![Page 33: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/33.jpg)
33
Microsoft’s .NET Implementation System Libraries
mscoree.dll
mscorwks.dll
mscorlib.dllfusion.dll mscorjit.dll
![Page 34: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/34.jpg)
34
Microsoft’s .NET Implementation
• File locations• System libraries• .NET application flow
![Page 35: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/35.jpg)
35
Microsoft’s .NET Implementation.NET Application Flow
Application mscoree.dll
mscorwks.dll
Main
_CorExeMain
_CorExeMain
CoInitializeEE
Entry point
![Page 36: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/36.jpg)
36
Microsoft’s .NET Implementation.NET Application Flow
• Jumps to _CorExeMain (mscoree)• Calls _CorExeMain in mscorwks.dll• _CorExeMain calls CoInitializeEE• CoInitializeEE calls:
– EEStartup– ExecuteEXE
![Page 37: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/37.jpg)
37
EEStartup• GCHeap.Initialize• ECall.Init
– SetupGenericPInvokeCalliStub– PInvokeCalliWorker
• NDirect.Init• UMThunkInit.UMThunkInit• COMDelegate.Init• ExecutionManger.Init• COMNlsInfo.InitializeNLS
![Page 38: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/38.jpg)
38
EEStartup (cont.)• Security::Start• SystemDomain.Init• SystemDomain.NotifyProfilerStartup (ICorProfiler)• SystemDomain.NotifyNewDomainLoads• SystemDomain.PublishAppDomainAndInformDebug
ger (ICorPublish/ICorDebug)
![Page 39: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/39.jpg)
39
SystemDomain.Init• LoadBaseSystemClasses• SystemDomain.CreatePreallocatedExceptions
![Page 40: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/40.jpg)
40
LoadBaseSystemClasses• SystemDomain.LoadSystemAssembly
– Loads mscorlib.dll• Binder::StartupMscorlib• Binder::FetchClass(OBJECT)• MethodTable::InitForFinalization• InitJITHelpers2• Binder::FetchClass(VALUE)• Binder::FetchClass(ARRAY)
![Page 41: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/41.jpg)
41
LoadBaseSystemClasses• Binder.FetchType(OBJECT_ARRAY)• Binder.FetchClass(STRING)• Binder.FetchClass(ENUM)• Binder.FetchClass(ExceptionClass)• Binder.FetchClass(OutOfMemoryExceptionClas
s)• Binder.FetchClass(StackOverflowExceptionClas
s)
![Page 42: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/42.jpg)
42
LoadBaseSystemClasses• Binder.FetchClass(ExecutionEngineExceptionClass)• Binder.FetchClass(DelegateClass)• Binder.FetchClass(MultiDelegateClass)
![Page 43: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/43.jpg)
43
.NET Application Flow• Jumps to _CorExeMain (mscoree)• Calls _CorExeMain in mscorwks.dll• _CorExeMain calls CoInitializeEE• CoInitializeEE calls:
– EEStartup– ExecuteEXE
![Page 44: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/44.jpg)
44
ExecuteEXE• StrongNamesignatureVerification
– In mscorsn.dll• PEFile::Create
– Loads executable• ExecuteMainMethod• FusionBind.CreateFusionName• Assembly.ExecuteMainMethod
![Page 45: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/45.jpg)
45
ExecuteMainMethod• Thread.EnterRestrictiedContext• PEFile::GetMDImport• SystemDomain.SetDefaultDomainAttrib
utes– Sets entry point
• SystemDomain.InitializeDefaultDomain• BaseDomain.LoadAssembly
![Page 46: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/46.jpg)
46
ExecuteEXE• StrongNamesignatureVerification
– In mscorsn.dll• PEFile::Create
– Loads executable• ExecuteMainMethod• FusionBind.CreateFusionName• Assembly.ExecuteMainMethod
![Page 47: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/47.jpg)
47
Assembly.ExecuteMainMethod
• Assembly::GetEntryPoint• ClassLoader::ExecuteMainMethod
– EEClass:FindMethod(entry point token)
![Page 48: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/48.jpg)
48
EEClass.FindMethod• ValidateMainMethod• CorCommandLine.GetArgvW• MethodDesc.Call
– MethodDesc.IsRemotingIntercepted– MethodDesc.CallDescr calls
MethodDesc.CallDescrWorker– CallDescrWorker calls Main()
![Page 49: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/49.jpg)
49
.NET Application• Main() needs to be compiled• Main() calls PreStubWorker (mscorwks)• PreStubWorker
– Compiles all MSIL methods– Calls MethodDesc.DoPrestub
![Page 50: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/50.jpg)
50
MethodDesc.DoPrestub• MethodDesc.GetSecurityFlags• MethodDesc.GetUnsafeAddrofCode• MethodDesc.GetILHeader• MethodDesc.GetRVA• COR_DECODE_METHOD
– Decode tiny/fat format• Security._CanSkipVerification
![Page 51: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/51.jpg)
51
MethodDesc.DoPrestub (cont.)
• EEConfig.ShouldJitMethod• MakeJitWorker
– JITFunction
![Page 52: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/52.jpg)
52
JITFunction• ExecutionManager::GetJitForType
– EEJitManager::LoadJIT– Loads mscorjit.dll (in LoadJIT)– Calls getJit in mscorjit (in LoadJIT)
• CallCompileMethodWithSEHWrapper– Debugger.JitBeginning– CILJit.compileMethod– Debugger.JitComplete
![Page 53: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/53.jpg)
53
CILJit.compileMethod• Calls jitNativeCode • jitNativeCode
– Compiler.compInit– Compiler.compCompile
![Page 54: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/54.jpg)
54
Compiler.compCompile• Compiler.eeGetMethodClass• Compiler.eeGetClassAttribs• emitter.emitBegCG• Compiler.eeGetMethodAttribs• Compiler.comptInitDebuggingInfo• Compiler.genGenerateCode• emitter.emitEndCG
![Page 55: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/55.jpg)
55
Compiler.genGenerateCode
• emitter.emitBegFN• Compiler.genCodeForBBlist• Compiler.genFnProlog• Compiler.genFnEpilog• emitter.emitEndCodeGen• Compiler.gcInfoBlocKHdrSave• emitter.emitEndFN
![Page 56: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/56.jpg)
56
.NET Hook – What It Is• An API for hooking .NET assemblies• Includes a sample application that
will insert a NOP into all “interesting” methods
![Page 57: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/57.jpg)
57
.NET Hook – What It Does• Reads through method table• Reads method
– Parses header, code, EH data• Hooks interesting functions
– Inserts hooked code at front of method– Stored at the end of the .text section
• Updates PE and section headers• Changes function RVAs in Metadata
![Page 58: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/58.jpg)
58
.NET Hook - API• Load(string AssemblyName)• Hook(HookedFunction Function)• Save()
![Page 59: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/59.jpg)
59
.NET Hook - Hook• Specifies a callback function• Callback function receives a
HookedFunction
![Page 60: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/60.jpg)
60
.NET Hook - HookedFunction
• Name (I.e., “Main”)• FullName (I.e., “void Class1::Main(string[]
args”)• DeclaringTypeName (I.e., “Class1”)• ReturnType (I.e., “void”)• Parameters[] (includes name and type)• Header[] and HeaderSize• Code[] and CodeSize• EHData[] and EHSize
![Page 61: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/61.jpg)
61
.NET Hook Hooked Assembly
Metadata
Functions
Import Address Table End of old .text section
.text section
Hooked FunctionsEnd of
new .text section
References both
![Page 62: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/62.jpg)
62
AssembliesHooked Method
RVA
Implementation flags
Method flags
Method name offset
Signature offset
Parameters index
Hooked method
Original methodMethodDef table entry
![Page 63: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/63.jpg)
63
.NET Hook Tiny Method Body
• Header size = 1 byte• Used when:
– Code size < 64 bytes– Maximum stack size is less than 8– The method has no local variables– No exceptions
Header (flags and code size)
Method body (MSIL)
![Page 64: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/64.jpg)
64
.NET Hook Hooked Tiny MethodHeader (flags and code size)
Hooking code (MSIL)
Method body (MSIL)
Updated
Inserted
![Page 65: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/65.jpg)
65
.NET Hook Fat Method
Header size = 12 bytesFlags
Header size
Max. stack sizeCode sizeLocal var. signature Describes local variablesMethod body (MSIL)
Extra data sections Currently only used for exceptions
![Page 66: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/66.jpg)
66
.NET HookHooked Fat Method
Flags
Header size
Max. stack sizeCode sizeLocal var. signature
Method body (MSIL)Extra data sections
Hooking code (MSIL) Inserted
Updated
Updated
![Page 67: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/67.jpg)
67
.NET Hook Demo
![Page 68: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/68.jpg)
68
.NET Hook - Next Steps• Better type handling• Don’t break exception handling• More developers needed
![Page 69: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/69.jpg)
69
Summary• .NET Framework is made up of BCL & CLR• .NET applications stored in assemblies• .NET Hook manipulates assemblies• Assemblies contain Metadata & MSIL code• Metadata contains streams• The #~/#- stream contains tables• Tables contain the important stuff
![Page 70: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/70.jpg)
70
More Information• .NET Specifications:
– http://msdn.microsoft.com/net/ecma• SSCLI and .NET Framework SDK
– http://msdn.microsoft.com/netframework/
• .NET Hook– http://dotnethook.sourceforge.net
![Page 71: Dot Net](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c5847b4af9f75218b4b02/html5/thumbnails/71.jpg)
71
Acknowledgements• Entercept’s Ricochet Team
– http://www.entercept.com/ricochet• w00w00
– http://www.w00w00.org