View Full Version : CongratZ! Now .NETwill load malware
evaluator
September 23rd, 2010, 04:38
after VB6 loaders, now NETwill load malware. these WStrings warms me:
GetThreadContext
WriteProcessMemory
NtUnmapViewOfSection
ReadProcessMemory
ResumeThread
SetThreadContext
VirtualAllocEx
VirtualProtectEx
and wrapped malware inside looks quite dangerous. (in_NETklbrw.exe)
PASS: malware
R33N
October 5th, 2010, 22:09
I attended a conference where this presentation took place and the speaker with another demonstrated all the abilities described in this outline. I think this would also be relevant to the increase of malware that will be injected into .NET code.
http://www.owasp.org/Hacking_.NET_Applications_at_Runtime:_A_Dynamic_Attack
Also there was supposed to be a tool release for the injection tool, but I have not found the tool through some immense searching. If anyone finds this tool would be interesting to play with.
Bengaly
October 10th, 2010, 18:35
Now, if Windows (xp,2008,2003,vista,7) had any decent and working permission controls (like, ie: root in unix/linux) than I wouldn't have had any trouble accepting .net process and memory privileges... but damn it with you m$ you're just shooting your self in the foot with this one, again and again..
Maximus
October 11th, 2010, 18:38
In truth, it is possible.
it was even possible in XP...
fact is, they made the stuff soooo complex not even they are capable anymore of understanding how to use it...
The real M$ problem lies in kernelland and the "owner" privilege check, which requires alot of lateral thinking to bypass (if you own something, you can always own it fully, silly rule...).
dELTA
October 27th, 2010, 20:59
Quote:
| [Originally Posted by R33N;87856]I attended a conference where this presentation took place and the speaker with another demonstrated all the abilities described in this outline. I think this would also be relevant to the increase of malware that will be injected into .NET code. |
Not really, since what the guy is presenting is only a glorified loader/code injector practically. You still need to have control over the machine already to have any use for it, and then you might as well just start a thread with your own arbitrary machine code in any application you have currently privileges to. I have seen that presentation live too, and the guy misuses and abuses the words "hacking" and "owning" throughout the whole thing, just to make his reversing tool sound more hacker leeto...
Quote:
| [Originally Posted by R33N;87856]Also there was supposed to be a tool release for the injection tool, but I have not found the tool through some immense searching. If anyone finds this tool would be interesting to play with. |
You apparently didn't search "immensely" enough to take a look in the CRCETL here on this server, since it's been sitting there waiting for you all the time...
http://www.woodmann.com/collaborative/tools/DotNetasploit
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.