.NET Malware Threats: Internals And Reversing

DEF CON 27

Presented by: Alexandre Borges
Date: Saturday August 10, 2019
Time: 15:00 - 15:45
Location: Track 4

.NET malware is well-known by security analysts, but even existing many tools such as dnSpy,.NET Reflector, de4dot and so on to make the analysis easier, most professionals have used them as a black box tool, without concerning to .NET internals, structures, MSIL coding and details. In critical cases, it is necessary have enough knowledge about internal mechanisms and to debug these .NET threats using WinDbg.

Unfortunately, .NET malware samples have become very challenger because it is so complicated to deobfuscated associated resources, as unpacking and dumping them from memory. Furthermore, most GUI debugging tools does an inside view of mechanisms such as CRL Loader, Managed Heap, Synchronization issues and Garbage Collection.

In the other side, .NET malware threats are incredibly interesting when analyzed from the MSIL instruction code, which allows to see code injections using .MSIL and attempts to compromise .NET Runtime keep being a real concern.

The purpose of this presentation is to help professionals to understand .NET malware threats and techniques by explaining concepts about .NET internals, mechanisms and few reversing techniques.

Alexandre Borges

Alexandre Borges is a Security Researcher, who has been daily working on Reverse Engineering and Digital Forensic Analysis for many years. He has taught training courses about Malware and Memory Analysis, Digital Forensics Analysis and Mobile Forensics around the world. Furthermore, Alexandre is the creator and maintener of Malwoverview triage tool: https://github.com/alexandreborges/malwoverview. Alexandre has spoken in several conferences such as DEF CON USA (2018), DEF CON CHINA (2019), CONFidence Conference 2019, HITB 2019 Amsterdam, H2HC Conference (2015/2016), BSIDES Sao Paulo (2019/2018/2017/2016) and BHACK Conference (2018). Finally, it is a referee of Digital Investigation:The International Journal of Digital Forensics & Incident Response (https://www.journals.elsevier.com/digital-investigation/editorial-board) Twitter: @ale_sp_brazil LinkedIn: http://www.linkedin.com/in/aleborges Website: http://www.blackstormsecurity.com/bs/en/en_articles.html, Tool: https://github.com/alexandreborges/malwoverview


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats