reverse engineering.net presented by: joe kuemerle @jkuemerle
TRANSCRIPT
Reverse Engineering .NETReverse Engineering .NET
Presented By: Joe Kuemerle @jkuemerle
www.speakerrate.com/jkuemerle
Background of Joe Background of Joe KuemerleKuemerleLead Developer at PreEmptive
SolutionsOver 14 years of development
experience with a broad range of technologies
Focused on application and data security, coding best practices and regulatory compliance
Presenter at user groups, code camps, CodeMash 2009 and MSDN Developer Conference 2009
Why Reverse Engineer?Why Reverse Engineer?
Reasons To Reverse Reasons To Reverse EngineerEngineerCuriosity – see how things workRisk Management – see what the
bad guys seeRecovery – recover lost /
damaged sourceIllegal Activity – be the bad guy
Random fact:According to a 2007 FBI study 70% of
network abuse is due to insiders.
Ease of Reverse Ease of Reverse Engineering .NETEngineering .NETWhy is it easy to reverse
engineer .NET?◦All high level source is compiled to MSIL
IL is verbose (compared to assembly) IL is well documented (CLI specification)
◦Open source compiler to reference Shared Source CLI compiler
◦Rich metadata included in assembly Support for reflection means code using
reflection must be self describing, by default all that information is embedded in assemblies
What Can Be Reverse What Can Be Reverse EngineeredEngineeredAny Managed Portable Executable (PE)•Windows Forms •Console
Applications•Office Business Applications
•ASP.NET (with server access)
•WCF •DLL’s •WPF •SharePoint
WebParts•SQL Server CLR Assemblies
•Windows Workflow Assemblies
•Compact Framework Applications
•Micro Framework Applications
•Silverlight
Availability of ToolsAvailability of ToolsNative reverse engineering tools
tend to actually cost money
•IDA Pro •$515 and up
•Syser debugger $198 and up•DevPartner $2,400
Availability of ToolsAvailability of ToolsManaged tools tend to cost less
◦ILDASM/ILASM - $0◦Reflector - $0◦Dile - $0◦WPF Snoop - $0◦Silverlight Spy - $0◦Mono Cecil Decompiler - $0
So what, it’s free and easy. So what, it’s free and easy. Big deal!Big deal!Once you (or someone else) has this
knowledge what can they do?◦Look to see exactly how things *really* work◦Find out things they might not need to know
Passwords Encryption Keys Secret data
◦Alter functionality Bypass authentication checks Unlock functionality Alter the user interface Add malicious code
Demo TimeDemo Time
Now What?Now What?So, how do I
stop all this monkeying around with my code? You don’t stop
it. All you can do is raise the bar
Raising DefensesRaising DefensesThere are some steps you can take to make life more difficult to deter the casual attacker
◦Strong Name assemblies to prevent alteration
◦Authenticode signing for commercial applications
◦Do not embed secrets in the binaries Use DPAPI to encrypt secrets Public key signature validation
◦Obfuscation
Questions and AnswersQuestions and Answers
References (Tools)References (Tools)Reflector :
http://www.red-gate.com/products/reflector/index.htm
Reflector Plug In Page : http://www.codeplex.com/reflectoraddins
Dile : http://sourceforge.net/projects/dile
Snoop : http://blois.us/Snoop/Silverlight Spy :
http://firstfloorsoftware.com/silverlightspy
References (Articles)References (Articles)Brian Long : Reverse Engineering To
Learn .NET Better◦http://www.blong.com/Conferences/DCo
n2003/ReverseEngineering/ReverseEngineering.htm
David Cumps : Reverse Engineering with Reflector and Reflexil◦http://blog.cumps.be/reverse-engineeri
ng-with-reflector-and-reflexilJason Haley
◦http://jasonhaley.comJason Bock
◦http://www.jasonbock.net/JB
Photo AttributesPhoto Attributeshttp://flickr.com/photos/calavera/65098350/http://flickr.com/photos/epitti/199843720/http://flickr.com/photos/moriza/77481889/http://flickr.com/photos/dannyboyster/
60371673/http://flickr.com/photos/
20406121@N04/2632344166/http://flickr.com/photos/rogersmith/126697530/http://flickr.com/photos/docman/36125185/http://flickr.com/photos/frozen-in-time/
3858611/http://flickr.com/photos/chubbybat/62206640/