2015 - Alberto Barbaro - Instrumentation of NET applications using Frida

There is currently no de facto standard to help a reverse engineer or geek to easily understand the structure of a .NET application and interact with it without access to the source code (particularly if the MSIL has been obfuscated). This gap has now been filled thanks to Frida (http://www.frida.re) and the power that the framework offers. Frida is a portable instrumentation framework that allows you to inject the Google Chrome V8 engine within a process’ memory and interact with the target process using Python and JavaScript. Having this power allows practitioners to: • Enumerate modules • Enumerate memory ranges • Read/Write/Scan the process’ memory • Call functions with crafted parameters • Read/Modify input functions’ parameters • Read/Modify the return value of a function • Establish full duplex communication with the target process using JSON messages At the end of the talk attendees will have a good understanding of the potential offered by Frida and they will be able to replicate all the demos explained during the talk and use the same techniques during an assessment of a thick client written in a .NET (or any other) language.