This page introduces application level rootkit attacks on managed code environments, enabling an attacker to change the .NET language runtime implementation, and to hide malicious code inside its core. The focus here is on the .NET Framework, but the concepts are general.

As a proof-of-concept, the same techniques were applied on the JVM to create Java Rootkits:

http://www.applicationsecurity.co.il/Java-Rootkits.aspx

 

 

The whitepaper .NET Framework rootkits - backdoors inside your framework.pdf covers various ways to develop rootkits for the .NET framework, so that every EXE/DLL that runs on a modified Framework will behave differently than what it's supposed to do. Code reviews will not detect backdoors installed inside the Framework since the payload is not in the code itself, but rather it is inside the Framework implementation. Writing Framework rootkits will enable the attacker to install a reverse shell inside the framework, to steal valuable information, to fixate encryption keys, disable security checks and to perform other nasty things as described in this paper.

 

This paper also introduces .NET-Sploit 1.0 - a new tool for building MSIL rootkits that will enable the user to inject preloaded/custom payload to the Framework core DLL.  

 

Related material:

• Tool - NET-Sploit 1.0.zip (New version)
• Source Code - .NET-Sploit 1.0
• Presentation (CanSecWest)
• .NET-Sploit User Guide (NEW!)

  Brought to you by  www.AppSec.co.il