Let's Play with WinDBG & .NET

today I'm here to speak about windbg the Microsoft the bigger and that methanol Isis with a lot of demo for this orientation so I prayed demo God but I'm not sure it works as usual for for democracy so my name is Bart I'm working from Paris outreach and I'm Mara analyzes and Maura hunter from thousand seven years I'm French as you can hurt so sorry for the accent and the broken English it's that my fault it's my parent foot and I'm cognitive conference in France with a lot of broken English to her name but cough take place in December and South of France issues or feel free to to come if you wish so here

is program for today first I'm gonna introduce windbg just for information the window or windbg yeah it's gonna be easy to freefall and I would shortly explain how it works and give you few comments cuz during demo I will use when the BG so simply to to help you to understand I'm not explained both command of the two causes too much common simply to help you to understand everything after I will present you to case today the first one he is out to analyze Porsche Porsche script with windbg you would see why I need to do that later and after I will mention that neck packer and how to automatically unpack something packed with this dotnet packer

thanks to two windbg and at the end I will show you a script we are release on our github account to help to do this kind of thing and have acceptable output on windbg you you would say so first thing just to clearly understand where we are we are just here it's not a picture for me picture I found on reddit so we win DVD CD B is the same to simply windbg have a user in and city bees pew command-line tools and David calm I think only odd people know this binary and it's not a you and I saw some people and previous presentation going on no no it's not come like the tech say it's binary so we need is a

free debugger of a Windows system you can download it on a Microsoft website but it's not a really popular blogger generally people use only dbg or immunity dbg why cuz in fact it's really ugly it's archaic user interface it's only come online you don't have for example if you used to use or dbg you've got register register homes but I'm right I think you've got the stack you've got the card you've got memory extra so you've got a lot of information on windbg you don't have any information you got come online and you must ask every information you want the syntax is a nightmare to be honest it's worse syntax in the world they create a scripting language

that is worse than the Sun tax it's it's really really bad but the good thing and why I use it a lot eat perfectly between the system and you can use symbol you can have information that also double got done gift to you and basically it support net if you try to develop application on only dbg good luck it won't work really well and once you accept the rule it's bad syntax it's very powerful and very interesting here is just for information the syntax to display data in memory it's done by default display I think you got display by display pointer display a unique ID value XS raah and you put the address and you have this kind of output

on windbg of course like on every debugger you can put breakpoint stop execution flow specific address or specific function it's not by being like breakpoint right by that address list breakpoint with BL Gillette disable enable break point etc it's really like having the burger except that it you must use common line something really interesting I don't know if you can do that on unity or 3d BG but you can break point on specific even it means I would like to break point when this specific library is loaded inside of the binary so if it never loaded so by now we would be executed and never stopped but if this library is loaded the execution flow

will be started loading and you have access to the binary it stopped and you can analyze it put those or breakpoint extra-extra you can make some memory depth I want to copy this byte inside of memory on file of course you can do that you can list loaded module etc exactly like a minute ago but income online it's not the official documentation but it's a really useful link and everything that 80% of the daily current are available here and it's whether this website is very well done I really recommend it if you don't choose windbg offer something interesting I said it support dotnet and the flat support is provided by an extension load made SS I don't know I didn't like that

anyway it provides all a new set of comments dedicated to dotnet analyzes and on this presentation I will use a lot SOS cause every interesting coming from our point of view is located here for example you can use bright point exactly like before but that break point on address our break point and see unmanage function sure you can break point directly on [Music] dotnet function for example here you can directly break point on assembly load function so and behind the debugger will automatically identify where is this function and break point for you extra extra so you don't have to know the address you don't have to analyze the dll where is located this function it's here in this case you can see that

it will breakpoint on eight different methods why in that net you can have a unique function with different argument one argument will be a bite away on the other argument you can put strings for example extracts resolve with the same name you can have different functions depending of argument it's exactly sched fifo temple here is looking for system security policy evidence argument and here it's a different one that's why we have to function with the same name that with two different address if you look at two different address simply because they that have same argument and dead net itself will choose which one you must execute depending of argument type another thing interesting is you can

have this stack equivalent in dotnet so you can get argument when you breakpoint on a specific function you can get argument value so here for example the first argument is a process that infrastructure and you are able to get informational on this structure for example here I asked with damp obg information about the object and I got holes information address extra bit here I got string lights first characters extra extra what is this cannon dot documented by Microsoft so it's really easy to simply read documentation and have her thing so it's simply an introduction to have a first overview but I will do a lot of demo to clearly understand how it works and it's not so complicated it looks

like complicated but not so much so I sent the pool a few weeks ago on Twitter to ask if people use windbg to analyze powershell script basically people said to me what the because generally when you have to analyze a Porsche you open it on that part and you read it it's the thing more the thing is imagine you have to analyze to thousands different script you know it's the same behavior it does not fire internet and execute it and you have to to analyze 2,000 script you can append mm not but of course or you can try to make atomization automate stuff and and and I choose to do it with windbg and thanks to what I will show you I was

able to analyze this 2000 strict on one day so very easy I got a log every try I love the Iran idol notified I get the ash extracts wrong automatically yeah it's Morris by what I mentioned so when you I don't know if you are used to analyze promotion street but you have to kind of cool brochure skip can directly load unmanaged code secret so in this case you can directly on Porsche a good I don't know 50 lakh in this case it should be a chocolate and in this case you can simply buy point on we actually look like on classic the burger get the information extra so in this context specifically in Russia does not choose

dotnet that it directly use and manage car it not what I'm interesting of this one is more interesting from my point of view when you do start - process but but for example in this case in fact partial with will use dotnet library it doesn't use unmanaged code but it embedded that net and execute that net called directly to execute process so on this context typically we can use SS extension to monitor activities it's when problem becomes generic when I started so the first thing so windy BG really sexy you can attach to process which is my portion process here

yeah it would be easier for you so at this time I got my portion and I cannot do anything it's bright point it's imposed and waited for for comment the first thing by default when the BC does not load SS extension you need to do it manually and load SOS extension at this time I got a new set of current break point on the function it's the right strap and the first thing I can do is to break point on protest art I do it yeah you've got an error I don't know why we must execute twice it's bad on SS extension so at this time you can see it breakpoint on six different method which method are named

poster but each metal have different argument I can't simply execute you can see all the entire I do I did previously appear cause the binary is running and I'm gonna do my start the process and execute calc at this time the bigger is breaking because just stop the process that the OPI is executed and I can use CLS that stack as I mentioned previously to get her argument to get the stack from that point of view and if I got on the first thing you know here I got processed at and the argument is a process that info click on it and I've got the object the process that object in that net here and I'm interesting far

apart by finding because I want to know which file name is executed I click on it and here you've got the strings character exit dope in this case simply by clicking in fact it choose dump obg each time you click on something I'm able to get automatic the process the filename executed by start process it's what I mentioned here something another thing for example you've got a part of the step process object is directory and in this case is the directory where is executed calculate exit promotion when you execute it you are directly on your home directory and the try it's my home directory so yes you can automatically dump information if you are interesting

by directly getting information from a register you can do that it gives you an address and it started in Unicode that's why I used GU and and it failed

and you've got calculate X a so you can use celeste at the obg accelerator to get information or you can directly ask for register like on command able to get this information so thanks to this first thing we can create a strip to get automatically information from start process and there's an example and if I continue of course calculate X is executed on on the mesh I'm gonna do another example same thing I attach my bigger - Portia

I increase font for you big fund no I'm gonna do something a little bit different I would SS extension and previously but I want to break point on download fried API when you analyze powershell script choose by run somewhere banking Trojan usually it downloads something on the internet and executed and he used on what right to do this task our break point in it twice and at this time I can no execution and here I would create new object and we download something on the internet and stir it on my desktop directory at this time it's start you get your break point it's automatically stopped during execution and I can have from registry information sure you've got the first

document she look here it's blog Dallas intelligence and I can have the second argument so where the fried oyster sure and you've got the bath so same things and previously you can automatically do the different step by scripting and don't ever you ahead where you try to download something malicious and you can download it and store it on specific directory to analyze it after extracts right you can do what you want here he's an example of automatization with you can see the wonderful syntax of windbg if you want to to make script this kind of syntax is a very very current and so it's the first example about how to to use windbg to to analyze

a perl script and when you choose dotnet api another case i had few weeks months ago I had to analyze a botnet malware and this that marijuana use a specific Packer something I don't know but really easy to understand it I think it's here so yeah share you what a lot of a little strength took like Chinese and number etc etc and how works the backer in this case it take the strings and put the string inside of this function and the purpose of this function if you look [Music] is to perform observe on it and they cut the strings and once the string is decadent a specific appeal is used assembly load is used on the decoded strings so

basically what does it means you've got incorrect strings you decode it you've got a new assembly cut a new dotnet binary and you use assembler to execute it so it's not very complex but imagine same thing you have thousand of sample to analyze with the same behavior but with little bit different to different key or different stuff for example I found another sample with exactly the same philosophy but in this case he used a es encryption so he has encrypted strings use AES to decrypt it and finally use assembly load to execute the decoded but you should have assembly load somewhere yeah awesome hello - here anyway so in this case we have different Packer

but with exactly the same behavior I bake our data by two different methods of encryption and I load decoded data with assemblers it's what I mentioned she has a me load what is this function for people we don't we want a coding method it you've got a bite around argument and load assembly blah blah so basically it's an executable in argument what a pass but we give the executive and its load directly by by dotnet I quit small example here you've got encoded data by 64 in my case I decoded data here and after decoding I load it and execute it it's exactly the same thing I simply don't want to execute Mari on my

on my laptop that's why I create a new one how it works if we want to analyze it with windbg we execute but he'll she same thing I can change a fault okay tools the thing here if I try to do if I try to mode SS extension it's right [Music] why because as a binary at this time is stopped at the beginning of the execution at the first instruction and that framework is not loaded inside of the binary so windbg said no I cannot load this extension it's not a definite binary but yes it is it's simply too early to clearly for windbg to identify its dot what binary so what I do I

simply break point when dotnet is loaded first yeah at this time the plate frame work is loaded inside of my process and at this time I'm able to load SS extension it's a simple trick to to to load SOS extension so same things and previously I breakpoint on assembly load twice as usual yeah generally when I was at school teachers say it's stupid to do twice the same thing you will have the same result no it's not just stupid not for Microsoft at least and you execute your binary yeah I got break point during my assembly load I use same thing than previously I want to see my stack the next back here and I got a zombie

load byte array I click on it and here you've got the address of the battery and increasing that ended this program cannot be run in DOS mode so you've got directly a binary in the argument of some video so you can dump it and it's over you've got an unpacked sample

yeah I can't do that it's

yeah you've got to end it this point cannot be run and in fact here it's a size of the viable it's a biter Esther about the size of the bite array and you can dump it directly from memory by using right men and we've got the unpacked binary and you can open it with I'll spy like like an array the god of the final Peter so it works sure he's an example where I analyzed a lot of similar sample with a stripped and directly extry extry extract is a final binary for forge fight so it's really easy and you can do it massively result any problems the only limitation is the back you must use the same philosophy and use

assembly load to load something to help people to to work on this I create a Brighton script you can find it on our github account the fake is officially windbg does not ship up right but people create an extension of windbg to super Python so this extension is py kg and is freely you can free the load each hand and after you can use my Python script here he is an example of I can show you for the moment I don't have any fear maybe it's a mistake to say that so I attached to my Porsche cheer up okay I open the workspace sure okay so at this time I know the net extension and I know

pkg so the Brighton extension and finally I can execute and as a net script I don't it's years No I just

yeah I like to hide my script

yes and finally it's so name is that in the pure

it's loaded and I can do my start - process or notepad for example

yeah at this time you can see a lot of stuff it's executed but the script directly dumped for example process that info and it dumped the object and if it's a strings are ambiguous something interesting it directly show you the information and everything is in Jesus so if you need to pass it after invite-only it's really easy and yeah you can see even if you do start process somewhere inside you've got assembly load which is executed I don't know why it in this case but it's automatically Adams if I checked my script just to show you how configuration it's really easy here I simply put GLL where is located the function to monitor so in

this case I monitor start process then you tried assembly load so each time one of this function is executed I don't argument I should display strings if I got string I display integral extra-extra and directly her.she if I go there yeah yeah here are what's a directory or value directly them to to the output and some time windows tile it's an integral the value 0 so I showed 0 extra so you can see the that nest trip to are quite big there's a lot of information simply to create a process yeah it works you can freely download the script if you want to to test and he's able to dump byte array of assembly load

execution so thanks to the script you can directly save on disk executable in argument of assembly load the only thing is the binary is really executed on the machine so if you don't notice something and execute to some point it's executed on your machine so use a virtual machine if you want to provide it so conclusion we published a blog post about all the thing I mentioned to you about how to analyze that net and indirectly a partial script with windbg and we publish the script of course if you want to promote it additionally I one mentioned that on my tour cuz I don't have time but after the first publication someone asked me if it works

for JavaScript can I analyze JavaScript application with a windbg with the same way and I started to look at it and in fact JavaScript absolutely not use a.net framework it's pure knowledge code it's pure C C++ so you cannot choose SS extension to do the same thing with with JavaScript but I wrote a blog post to explain how to do it with common typical feature without definite so if you are interesting basically you can do the same thing with JavaScript simply not with SS extension but directly with with the debugger so it's online and you can play with it I don't provide any script for for this specific case something new for windbg user use so my

trap interface and Microsoft is working on new version their releases this beta two weeks ago and maybe one day we will have a debugger with a sexy design they add ribbon and old classical window stuff and know you are you have some button first and you you are able to easily modify the layout you've got directly tab here to get memory to get Hajus texture without typing comment simply by clicking on it so basically the same thing but with more user-friendly interfaces so first moments better you can delete it works but as it was published last week or two weeks ago I didn't want to use it for Gmail cause I can have a lot of surprise with better

but maybe we will have something interesting here you get directly the stack you can have thread extra extra so it's it's becoming something more usable for four people so otherwise if you are interesting on our blog post we publish everything we mention on conference and extra so you will find all the information you want we have total security Twitter account if you want to follow us to see all the article with publishing Norris real-time night Twitter under security border wine organizer one of the organizers of the conference helped me a lot for this research so I put this Twitter nickname too so if you have questions feel free if you are shy we can speak outside no programs