Reverse Engineering .NETReverse Engineering .NET

Presented By: Joe Kuemerle @jkuemerle

www.speakerrate.com/jkuemerle

Background of Joe Background of Joe KuemerleKuemerleLead Developer at PreEmptive

SolutionsOver 14 years of development

experience with a broad range of technologies

Focused on application and data security, coding best practices and regulatory compliance

Presenter at user groups, code camps, CodeMash 2009 and MSDN Developer Conference 2009

Why Reverse Engineer?Why Reverse Engineer?

Reasons To Reverse Reasons To Reverse EngineerEngineerCuriosity – see how things workRisk Management – see what the

bad guys seeRecovery – recover lost /

damaged sourceIllegal Activity – be the bad guy

Random fact:According to a 2007 FBI study 70% of

network abuse is due to insiders.

Ease of Reverse Ease of Reverse Engineering .NETEngineering .NETWhy is it easy to reverse

engineer .NET?◦All high level source is compiled to MSIL

IL is verbose (compared to assembly) IL is well documented (CLI specification)

◦Open source compiler to reference Shared Source CLI compiler

◦Rich metadata included in assembly Support for reflection means code using

reflection must be self describing, by default all that information is embedded in assemblies

What Can Be Reverse What Can Be Reverse EngineeredEngineeredAny Managed Portable Executable (PE)•Windows Forms •Console

Applications•Office Business Applications

•ASP.NET (with server access)

•WCF •DLL’s •WPF •SharePoint

WebParts•SQL Server CLR Assemblies

•Windows Workflow Assemblies

•Compact Framework Applications

•Micro Framework Applications

•Silverlight

Availability of ToolsAvailability of ToolsNative reverse engineering tools

tend to actually cost money

•IDA Pro •$515 and up

•Syser debugger $198 and up•DevPartner $2,400

Availability of ToolsAvailability of ToolsManaged tools tend to cost less

◦ILDASM/ILASM - $0◦Reflector - $0◦Dile - $0◦WPF Snoop - $0◦Silverlight Spy - $0◦Mono Cecil Decompiler - $0

So what, it’s free and easy. So what, it’s free and easy. Big deal!Big deal!Once you (or someone else) has this

knowledge what can they do?◦Look to see exactly how things *really* work◦Find out things they might not need to know

Passwords Encryption Keys Secret data

◦Alter functionality Bypass authentication checks Unlock functionality Alter the user interface Add malicious code

Demo TimeDemo Time

Now What?Now What?So, how do I

stop all this monkeying around with my code? You don’t stop

it. All you can do is raise the bar

Raising DefensesRaising DefensesThere are some steps you can take to make life more difficult to deter the casual attacker

◦Strong Name assemblies to prevent alteration

◦Authenticode signing for commercial applications

◦Do not embed secrets in the binaries Use DPAPI to encrypt secrets Public key signature validation

◦Obfuscation

Questions and AnswersQuestions and Answers

References (Tools)References (Tools)Reflector :

http://www.red-gate.com/products/reflector/index.htm

Reflector Plug In Page : http://www.codeplex.com/reflectoraddins

Dile : http://sourceforge.net/projects/dile

Snoop : http://blois.us/Snoop/Silverlight Spy :

http://firstfloorsoftware.com/silverlightspy

References (Articles)References (Articles)Brian Long : Reverse Engineering To

Learn .NET Better◦http://www.blong.com/Conferences/DCo

n2003/ReverseEngineering/ReverseEngineering.htm

David Cumps : Reverse Engineering with Reflector and Reflexil◦http://blog.cumps.be/reverse-engineeri

ng-with-reflector-and-reflexilJason Haley

◦http://jasonhaley.comJason Bock

◦http://www.jasonbock.net/JB

Photo AttributesPhoto Attributeshttp://flickr.com/photos/calavera/65098350/http://flickr.com/photos/epitti/199843720/http://flickr.com/photos/moriza/77481889/http://flickr.com/photos/dannyboyster/

60371673/http://flickr.com/photos/

20406121@N04/2632344166/http://flickr.com/photos/rogersmith/126697530/http://flickr.com/photos/docman/36125185/http://flickr.com/photos/frozen-in-time/

3858611/http://flickr.com/photos/chubbybat/62206640/