Managed Code Rootkits Hooking into Runtime Environments This page intentionally left blank Managed Code Rootkits Hooking into Runtime Environments Erez Metula AMSTERDAM • BOSTON • HEIDELBERG • LONDON NEW YORK • OXFORD • PARIS • SAN DIEGO SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO Syngress is an imprint of Elsevier Acquiring Editor: Rachel Roumeliotis Development Editor: Matthew Cater Project Manager: Laura Smith Designer: Kristen Davis Syngress is an imprint of Elsevier 30 Corporate Drive, Suite 400, Burlington, MA 01803, USA © 2011 Elsevier, Inc. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier .com/permissions. This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein). Notices Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods or professional practices, may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information or methods described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility. To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein. Library of Congress Cataloging-in-Publication Data Metula, Erez. Managed code rootkits : hooking into runtime environments / Erez Metula. â p. cm. Includes bibliographical references and index. Summary: “Introduces the reader briefly to managed code environments and rootkits in general—Completely details a new type of rootkit hiding in the application level and demonstrates how a hacker can change language runtime implementation—Focuses on managed code including Java, .Net, Android Dalvik, and reviews malware development scenarios”— Provided by publisher. ISBN 978-1-59749-574-5 1. Computers—Access control. 2. Virtual computer systems—Security measures. 3. Rootkits (Computer software) 4. Common Language Runtime (Computer science) 5. Computer security. I. Title. QA76.9.A25M487 2010 005.8—dc22 2010036631 British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library. ISBN: 978-1-59749-574-5 Printed in the United States of America 10 11 12 13 14 10 9 8 7 6 5 4 3 2 1 Typeset by: diacriTech, India For information on all Syngress publications visit our website at www.syngress.com Contents Acknowledgements ���������������������������������xi About the Author.....................................................................................................xiii PART I OVERVIEW CHAPTER 1 Introduction ���������������������������������������������������������������������������� 3 The Problem of Rootkits and Other Types of Malware ������4 Why Do You Need This Book? ������������������ï6 How This Book Is Organized �����������������ï¿6 How This Book Is Different from Other Books on Rootkits �ï¿7 Terminology Used in This Book �����������������ï¿9 Technology Background: An Overview �������������ï10 Managed versus Unmanaged Code ��������������11 Managed Code Environments: An Overview ���������12 Summary �����������������������������21 CHAPTER 2 Managed Code Rootkits...................................å°................... 23 What Can Attackers Do with Managed Code Rootkits? �����24 Common Attack Vectors ���������������������ï26 Maintaining Access after Successful Attacks ���������27 The Trusted Insider ����������������������ï28 Malware ����������������������������30 Why Are Managed Code Rootkits Attractive to Attackers? ���ï30 MCRs Have a Large Attack Surface.........................................30 MCRs Have a Single Control Point..........................................31 MCRs Can Act as a Universal Rootkit ������������ï31 MCRs Are an Ideal Place to Hide Malicious Code ������32 Security Products Do Not Understand Intermediate Language Bytecode ��������������������ï32 Developers’ Backdoors Are Hidden from Code Review Audits �����������������������ï32 Attackers’ Backdoors Can Be Planted as Deliberate Security Holes �����������������������33 Managed Code Becomes Part of the OS �����������ï34 MCRs Provide Low-Level Access to Important Methods ��ï¿35 Object-Oriented Malware Has Many Implications ������35 Summary �����������������������������35 Endnotes �����������������������������ï36 v vi Contents PART II MALWARE DEVELOPMENT CHAPTER 3 Tools of the Trade ����������������������������������������������������������������� 39 The Compiler ��������������������������ï¿40 The Decompiler �������������������������ï¿42 The Assembler ��������������������������ï46 The Disassembler ������������������������ï¿49 The Role of Debuggers ���������������������ï¿52 The Native Compiler �����������������������56 File Monitors ���������������������������60 Summary �����������������������������61 CHAPTER 4 Runtime Modification ������������������������������������������������������������ 63 Is It Possible to Change the Definition of a Programming Language? ��������������������������ï¿63 Attacking the Runtime Class Libraries ������������66 Attacking the JIT Compiler ������������������66 Abusing Runtime Instrumentation Features ���������ï¿67 Walkthrough: Attacking the Runtime Class Libraries...................71 Case Study: The .NET Runtime ���������������ï¿72 Component Analysis ���������������������ï73 Disassembling the Binaries ������������������79 Modifying the IL Code ��������������������ï80 Reassembling the Code ��������������������82 Deployment ��������������������������83 Case Study: The Java Runtime ����������������ï90 Case Study: The Dalvik Runtime ���������������94 Summary �����������������������������99 CHAPTER 5 Manipulating the Runtime ��������������������������������������������������� 101 Manipulating the Runtime According to Our Needs...................101 Logical Manipulation ��������������������ï102 Execution Flow Manipulation ����������������113 Literal Value Manipulation �����������������ï¿122 Reshaping the Code.....................................................................129 Referencing External Methods and Class Members ����ï¿129 Injecting References ���������������������130 Max Stack Size �����������������������ï¿131 Setting the Labels ����������������������ï134 Code Injection Points ��������������������ï137 Code Generation..........................................................................139 Summary ����������������������������ï142 Contents vii CHAPTER 6 Extending the Language with a Malware API ������������������������ 143 Why Should We Extend the Language? ������������ï¿143 Extending the Runtime with a Malware API ����������146 Sending Data