 This is hacking dot net applications, the black arts. I'm going to be attacking dot net applications developed by Microsoft protected with third party applications. These are applications that people don't want you to have their source code. They don't want you to do malicious things. This is why we're all here, to fuck them up, right? Good. Then you're in the right talk because that's all this is going to be. Unfortunately, I have developed some good things, but that's not what goes into a hacker con. Everything I'm going to show you is specifically malicious. I'm digitalbodyguard.com and let's fuck some shit up. There you go! So, no matter whether you're just a hacker or you're an attacker, these are some of the nice tools that you're going to want. You don't have to be highly skilled and have all sorts of IDA and machine code. This speech is targeted towards the average developer that wants to mess applications up. They want to look inside of it and do critically bad things to other people applications. I'm going to talk about how to attack dot net applications, tools and methodologies for attacking, overcoming secure dot net applications, building keys, cracks, malware, and reverse engineering for protection, whether you're a company or a hacker, this applies to you. And I'm going to fuck some shit up. Okay. Cracking and attacking. I'm going at it in memory and on disk. Attacking on disk, you gain access. You decompile. You infect the logic, drop some shims in there to get you in. You hook the logic and test. Your life cycle. Attack in memory. Inject into the target application. Navigate the structure, edit and control the structure. Whether you're attacking in memory or on disk, the same conceptual paradigm applies. Do your reconnaissance. Understand what technologies it's using, what you think that their mechanisms for hardening the application would be. And do a little bit of reconnaissance into the company. Find out what other products they use and what other products they sell. Maybe they have a product that they don't particularly harden. Go look at that and they probably use the source code over again. Reconnaissance is nice. Gain access to your target. Whether that's getting access to the executables or getting past any of their security methods, you want to gain access. You want to find the weak spots. The spots that let you get in and affect it and the security is weak or the checking is weak, but you want to get in where it's easy. You don't want to blow a bunch of time, right? And you want to control what you need. You don't want to drop a lot of stuff in there that's going to blow it. You're in someone else's application, be clean and efficient. So attacking in memory at runtime. This is Gray Dragon, a tool that I'm dropping free of course, just another injector that gets you in there, developed mainly out of .NET, but it's targeted specifically against .NET. This is going to take care of a lot of the threading issues and get you into .NET, which a lot of the other injectors aren't targeted at .NET, this specifically is. You inject into a process. It spins up a C++ bootstrap DLL. That spins up a .NET bootstrap DLL. This takes care of the threading and all of the issues that you would find if you injected into someone else's application and started doing shit. This helps it be more stable with less work on your part. And then it puts you in the application. That's where you drop in your payload. I also developed a few other mechanisms real quick. I'll cover that. I did a USB keyboard that types in. It goes into PowerShell, does a whole bunch of keystrokes, and then it drops Gray Dragon into your target and into the process. Straight from keyboard. So you're not going to have a lot of forensics footprint. It's really nice because you're going into memory straight from keyboard. You're not touching disk and it's going to be real clean. Also, I did a Metasploit payload last year. Same exact idea. Metasploit gets you in. I'm a little bit demo heavy, so I hope you enjoy demos. This is Gray Dragon and Gray Wolf. So Gray Wolf is a nice decompiler. You can drag any executable and it will get you your basic things, right? This is a program that destroys files on your hard drive. This is, I'm going to cover injection first, but this is something that's going to be very important later on. Gray Dragon gets you inside of your target. This is the, the target's running as admin. So instead of being able to inject from user land, I have to elevate it to admin in order to inject into my target of course. So I'm not really doing exploitation. I'm more taking advantage that once you own the box, you can mess up any application however you see fit. Then use it on that box or use it on other people's boxes for practical reasons. Okay, so I drop into my target and here is the .NET payload that I talked about earlier. This takes any .NET executable and just runs void main on it. So this is an executable that has a void main. I will select the payload and we have a payload inside of our target. This is old talks if you've been to my speeches before. This is going to be very, very nice later on. I can come down to this unlock button and I have went in, I have edited the events that this button fires. When you right click on it, it fires something new. It says, what functions do you fire? And here's the functions that that button fires. This is heavily obfuscated. So this would take you hours to dig through to get to this class and this function. This is what that button fires. And that's the unlock button. So you know that unlock button is pretty close to the registration check, right? So when you want to crack the registration check instead of digging for hours through obfuscation, this gets you straight to it and it will cut your time way down. So that will be very important much later. And, okay. So I really like diagrams and pretty things. I think it makes shit easier. When you are on disk and you run an executable, it spins up a bunch of valid DLLs. They all go through the security systems of Microsoft and .NET. This all becomes a process. All the security systems have already completed. You inject in and it drops in your attack. This is where you get your hacks, cracks, malware and back doors. This is really nice because I'm going to talk about security systems later and they've all finished. At this point, you're injecting after I've seen two security systems used by two companies that can do anything against this. Every security system I'm going to talk about for the rest of this, you can basically add and injecting in memory gets right past it. So I kind of went app happy and I developed a whole bunch of payloads and supporting applications and just put out a lot of research and a lot of applications to support you in this endeavor and wanting to see how I did what I did. So attacking applications, you gain full access, you reverse engineer as much as possible, you attack it in memory, take out whatever security might be there and then you control the program. Injection. Why should I use it? How does it impact me? Fuck, don't be a prick. Just accept it and it works. It's going to get you in. It's going to wrap all of your threading, it's going to inject and it's all free. These are all tools that I'm encouraging you to use. I'm not going to be charging, I'm not going to be selling these applications to a company that they can tell you you can't use it. I'm developing this for hackers. So here's two applications. I'm going to show injecting into them and then I'm going to show injecting the same payload into both applications. And this is interesting because .NET gives you a lot of power for a little bit of code and I'm going to show you how that power can affect applications in a slightly new way. Okay, this application is basically a low end backup piece of software. It takes a password and if you don't put in the right password it's not going to give you access. This applies to major backup software but I thought I would not punch any companies specifically and I would just go after some small time companies. I mean they're good software but they're not a Norton ghost. So here's our payload inside of our target. We drop it in, load it and here it is. This payload iterates through the application, finds the hash code of the password and populates it. And this crack starts brute forcing that password using the logic of our target. I've reached inside of the application, got the hash of the password and started a brute force. Here's another piece of software that's similar to the first, slightly different of course. We'll inject into it again. Gray Dragon searches because I still have a little more work to do so it brute forces. It finds it. It's 64 bit. It's going to drop in a 64 bit payload. And there we are. We're inside of the next application. Take the same payload, drop it in. So we have essentially the same payload. Of course it's a different hash. I'll start cracking it. I have the same exact payload cracking both of them. And it's not hard to write it for other applications. You can even write an adaptive one. So these two applications. This one was processing at 10,000 checks per second. This one is much slower. It finds the password. This is your plain text that it's testing. It then takes this and drops it into your target application because I thought that would just be pretty. It auto types it in. There it is. It's cracked. I've gotten the password. I know what it is and I have access. This one's still crunching away because this one has a much more processor intensive check mechanism. And the same thing. It finds the password and types it into our target. And again gets us in. I have access to the encrypted material. A brute force that can be adapted quickly and easily by an average level programmer. That's the target. And that's the power. A little bit of cleanup from the demo. All right. A lot of this injection I covered last year. Injecting at runtime has a lot more power than attacking on disk, but it's much easier. You don't have to worry about security methods. You can catch my talks, hacking dot net applications, a runtime attack from Defcon. I presented an arsenal at Black Hat last year, AppSecDC, DojoCon. I have them up on my website and this will walk you in depth through attacking in memory. Pretty much the same talk now, but an entire length on just attacking in memory. So attacking in memory and on disk. This is the other distinct half. Attacking on disk doesn't quite have as much power as attacking in memory, but it is much more permanent and effective, but requires a little more skill and finesse. Gray Wolf is a decompiler I wrote specifically for attacking dot net applications. Not a decompiler that gets you access to the source code, but a decompiler for attacking. These are including the mechanisms that I normally use over and over and over again. This is by no means complete. It was an internal tool that the best decompiler that was on the market was free. A company bought it so they would keep it free forever. They then started charging at phone's home. You need to give them your credit card and I no longer pimp their products. So I released my internal tool and it's free. It gets you access into other people's applications and brings along a lot of the things you're going to need to attack on a daily basis. Gray Wolf iterates applications of the dot net ilk specifically. And that's its sole purpose. You drag and drop an executable or a DLL. This is decompiling. Dot net gives you source code. It is an intermediate language as long as it's unprotected, you're perfectly fine. You're going to see proper classes, name spaces, you're going to click on a function and see source code. Pretty much what the original developer wrote. This is very, very effective for making cracks when you're trying to black box test something and you have the source code as well as the ability to quickly manipulate it. That's what this is specifically for. And we'll do stuff like if it's an obfuscated or unobfuscated application you might want to find main. So I wrote a find main button. It simply moves you down and this is main. People can change the name of main and it can be hard to find. And here's their main. And then you can start seeing if they put any protection mechanisms or sanity checks at the beginning of their application, all that. And you can do stuff like change whether something's public or private and all that. I haven't completed everything you need like changing public and private for the classes, but it's on the functions because I had a project where I needed to change the public and private on a function. So as I either receive people that want to support it with monetary funds or I needed I add features and then you get free features. That's gray wolf. So attacking on disk. You connect in and you access. You decompile it and get the code and base technology of your target. You infect it and change your target's code to accomplish whatever goal you might want. You exploit whatever logical vulnerabilities or technological vulnerabilities that might be there and then remould your application and deploy. That is pretty much as simply as I stated it. That's about as simply as it's done that you'll see later on. The weak spots that you're going to go after in an application. You want to flip a check. You want to set a value to true. You want to cut the logic. You want to turn true. You want to access a value. Set a value to true. Registered equals false. Gray wolf registers equals true. A check A equals B. Password validation. A equals B becomes A not equals B. Only invalid passwords will succeed. You could see how you might want to do that one and it's about six clicks. Registered equals true on this function. You simply insert or return true at the top negating any logic that might be in that function. Is valid key returns true? Regardless of what you pass in. Sequel cleaning. Cutting the logic. Very scary. Imagine how many applications have only one function because that's what good developers do, right? And it just returns the original string. It's been cleaned. It sends it up to the server. Who would not actually take advantage of that? Valid password accessing a value is much stronger than you might think. When you have access to the internal variables of your target, you can do awful things like show the value you're comparing against instead of just subverting that check, you show it. Or put it in the clipboard, save it out to disk, whatever you want. You can just iterate the whole program and show every variable. This is much stronger than I had anticipated. Registration checks. We want to make key gins, right? That's a question. Clap, clap, clap. There you go. Okay. So key gins and cracks. This is, from my experience, the top mechanisms that they use. They'll make a public and private key. They'll sign a XML and they'll push it down to your machine. Inside the application, it'll decrypt it and execute it. This is averted by changing the key. You simply change the public key and it's yours. This is, all of these things are from six clicks to five or ten minutes. They're pretty easy on unprotected applications. The next one is a little weird, but I see it so often. You take your name and the registration code, you do a little bit of math and you compare it to a known value. You ask it what the known value is and that's your key gin. That's it. Calling the server, you hack the call. You just mess it up. Whatever they're calling, whether it's a UDP packet or a TCP connection, you just mess it up. Demo equals true. It could be false and it might. Complex math, this is my favorite because it's like a Rubik's cube that someone meant you never to solve. You sit there and you chop it up and you break it with complex math. It's always fun. And 1% of the time, they'll actually ship the key generation with the product. I'm sure it made sense to someone to put the key generation inside of the application and ship that to you. You simply go there, you fire it up, you put in what you want and you get the key generation and you don't even have to write anything. And it's a little more than, it's 1% of the time plus or minus. So, public private keys. Like I said, if you can beat them, why join them? You have some complex math that you would have to do to break it or you just set it to an easy key that you have. And then you ship the product and you can turn out as many key gins as you want because you own the key. Server call. It points to whatever you want. The system ID, you put in some easy value to manage. You simply give them whatever would solve it and that's it. Registration code replay attack. This is just fun. You have a name that you pass into a function. It returns whatever that function would do to that name. It then compares this to your registration code. If these two match, if they don't, you're not registered. Like I said, replay attack. You take the value and then you play the game again. Of course, some people add more things where it seeds with registration code or something complex math. And it, of course, works. Complex math. My favorite. You chop up the math into its individual sections and then you attack each one of them individually. I'd like to start from the weak one, start going to the strong. And for dev purposes, I recommend that you put a brute force on each section that you haven't completed. And so as you beat the weakest one, the rest of them are brute forced and you can validate as you go through until you've removed all of the brute forcing and you have a pure key gen. We would like to see that, right? Well, as some company might be mad if I showed how they did their registration check, here is a white boxed application. Drag and drop it. You get access to the source code and at home, at your leisure, you can look and see how this is done. So it takes your username and your key and doesn't work. Of course, there's a key gen and it works, all of that. So you pop open the application that you want to key gen, you target into what that button does that I showed you earlier, which happens to be key check, because a lot of people use good naming, right? So a lot of them will put something like this is version 12 of our enterprise application and they'll tag that at the front of the key. They'll then do a whole bunch of string manipulation. I'm just walking you through because I would have liked to know what a common key validation sequence looks like. So I figure you would, right? When it gets to the complex math, okay, one half is iL, the other is source code. So it gets to complex math and it starts doing bizarre stuff like taking powers and then modding it. This is pretty common. This is a lot of the complex math that you're going to see. And oddly enough, a lot of the complex math is kind of similar, that they will go out and see how someone else did it or they will look at an old and they will reuse that same paradigm. So you could look at how I did the key generator and see how I overcame each type. And there are some types of complex math that are very hard to overcome. And I put in a brute for sure that brute force just two digits out of the long key. The rest of it, I overcame with complex math. You can see how I did it, played at your leisure, and for dead purposes, it is very nice to see a completed key gin and key, easy to find, not obfuscated, not going to spend a lot of time hacking through bullshit. So the best key logger, I decided that I wanted to hurt this application for this speech. This is a bad piece of software that you should never use on something you like. It's pretty much malware pretending to be a valid application. So I'm going to fuck it up. Okay. So this application, it's a key logger. It sits on your system and it says you pay me $50 and I'll be a key logger for you. It has a password. You type in the wrong password and it doesn't let you in. When you take this key logger and you drag and drop it into Grey Wolf, going to overcome that real quick. So inside of Grey Wolf we'll tunnel down through the, this is the core executable. These are all of the supporting DLLs that you might want to go into and of course you can pull up all of their source code just as easily. But we're going to target the core executable tunnel into that. So here's the top namespace. I have a piece of paper since my computer is being used right now. And there we are. So classes. Unlock. Here we are. The password validation sequence. We'll open this up. I designed this tool specifically for demos in mind so I could zoom up the code for you. If you read .NET it's pretty easy to see how you might get past this, right? It takes the value you enter. It takes the known value and it directly compares them. This is comparing plain text against what you typed in. This is the worst type of check that you could possibly conceive of other than return true at the top. We have some Dropbox users, huh? Okay, so like I said this is attacking. We're going to insert into this application. We'll turn off the C-sharp. Okay, so this is I-L. I'm going to pop off getting the value that you enter. This is the value that you type in. I insert some NoOps. It's pretty easy to know what NoOps do, right? This just opens up some room. So we have our value that we got out of the application on our stack. We'll call a function, system, windows, forms, message box, show. That's going to do it. That's the call sequence. We put call down here. We target what we want to put in there and now we've done a call to show that password out to the screen. So when I said get a value, that's it. It then returned something onto the stack. We pop that off. We then have a comparison operation that was done before. We'll destroy that and we're going to push true onto the stack because it would be nice that that comparison was still there. This is push one onto the stack and easy to read lookup and that pushes one onto our stack. Here's our C-sharp code. You're going to clap when you read this. Message box, show password, true. That's it. We then come up here, save it out. An executable with an easy different tag name. It's saved out. It's on disk. Open it up. Type in gibberish. This is the password. Win. Like I said, I'm going to fuck this application up. So here's the next demo. We're going to attack the key generation on it. So we open up gray wolf again. This edited copy that I don't want to type the password into. We're going to take this. Crack its key. Drag and drop it. And this compiles a good version of it. All that. So that took what probably might take you a minute to do. And now I'm going to crack the key. That is... I'm using paper like a Luddite. Okay. System. Okay. System class is core. Okay. System core constructor. Okay. So here is exactly what you're looking for inside of your target. I went and did my reconnaissance. I now know what the key validation sequence is. This is a string that I did before this. I'm going to take this string. Come in here. Here's our target. I'll go through the I L. Here's our target. Replace it. Here's our C sharp code. So that little change is the re keying sequence. That's it. There's no going through and doing something complex because this is a very weak key validation. It uses a... Have you been signed with the public private key that I talked about earlier? And if so, then I'm going to decode it and implement it. So here's our target opening up. Type in random. It's a little fast and that's the power of this. This is now key to I'm alive. And it's validated. I mean that seems a little simple, right? Like I replaced one string and that's kind of the power. Like I can say in six clicks you can rekey an application. You don't have to know how to be hard core. You have a validated full. It looks legit like there's something hard core going on and it's that one string. This takes a couple of minutes to read through their code. See how their key validation is done. Oh, I have to replace that. I want to use whatever complex algorithm. I'm not going to disclose it, but when you read through their code it's pretty easy to make that random string that I threw in there. So they do have something weird going on where they do crazy obfuscation where they literally do crazy obfuscation. I'll talk about that. And they have taken bad coding practices and just started shoving code inside and ripping code off of other people. And so they lie to you about they're doing this that and there's a lot of just bizarre shit going on. Literally crazy. So one of their classes when you type in keys it's encrypted. It uses a hard coded key combines this with your password. It then does AES. And there's another one where when it writes out it uses triple des a bunch of hard crypto. However in some of it like the triple des it only uses a hard coded key. It uses zeroed vectors and it stores your password in the plane. So it might be easy to decode, right? I was like oh I can do that in an hour for the conference. So a couple of days ago me and some friends started coding it up and here it is. Here's the decryptor. And I'm not going to give it to you because they're literally crazy. Instead of using any of that crypto I talked about they simply used something obscure like ASCII to encrypt it. And then saved it out to a file. They have all of this hard crypto and then they don't use it. So I spent a couple of hours for this to develop that application that I showed you and then they don't encrypt it. So I mean good obfuscation like that threw me for a loop that wasted a lot of my time for no good reason. So Gray Wolf. I want to talk about the power of being able to look through an application. So Gray Wolf has a key inside of itself. When you dig into Gray Wolf you go find main. A lot of old applications from the C++ days do their key checking call in void main and then they put the key checking algorithm right next to void main. And then there's a key checking. So something that's nice about Gray Wolf is it's free. And it has key validation. I've showed you how to jump straight to that. Inside of Gray Wolf Pro I've packed all of the source code that you're going to need for Gray Wolf itself. I'm running a little short. We're going to skip that. Okay. So I L. It's kind of the code of the matrix. You're looking at C sharp. You're looking at VB dot net. It's actually I L. Also if you're looking at obfuscation you're looking at I L. It's kind of a new version of assembly code. There's pushes pops and all of that. It's definitely worth learning if you're serious about attacking applications. If you're not serious you can just get your Wikipedia page put it up next to the application and just do it one line at a time and it'll take you a few lines. So you don't actually need to know it. So this is the midpoint Q&A and all of that. So I'm trying to include a little bit more audience participation if you have a burning question and you think it's highly applicable you're welcome to raise your hand. No. Okay. So it can't be that easy right. We all know that computers are secure and Microsoft has done all of their work to stop us. We use secure dongles. We phone home and do registration checks. We do looking for updates and DB calls and Twitter whatever and we have crypto objects on our secure application. These are all nice targets because programmers segregate their code nicely. When you do an upgrade call to the server just like that key gen server call hack you simply say why don't you come to my server and use my key to pull the new payload to update and then install the new malware that I want to ship to you. You want to leak new data that when your application phones home you're going to send a little bit of exfiltration data and add your back doors that secure USB dongle a lot of them use return true which is really scary when you're showing the executive here you go here's your $30,000 dongle and crypto chop it off replace it with your own whatever you want. So security by obscurity this is what every single person that has heard the Microsoft this is how we're going to protect you will say there's code obfuscation there's logic obfuscation or crazy obfuscation there's unmanaged calls that Microsoft uses a lot of the time their shells packers all of these things this all shuts down decompilation or slows it down to a lesser extent. Obfuscation this is what it looks like they instead of using a proper name they just put something that's hard to read. Instead of returning true or false or checking some variable they do something a little bizarre that's obfuscation and they'll say well does an obfuscation stop you from getting source code it's like yeah but I mean that's source code. I mean that's not harder if I mean it's going to take me five or ten lines and it's going to take me an hour instead of five minutes sure it slows me down. This is obfuscation. You can find your target but it might take a little bit of time there might be twelve other ninjas it just it's a little bit harder you might be a little worried about something that you missed but that's it. There's security security by security there's signed crypto code that Microsoft has put on your applications that can verify the creator strong names blah blah blah this shuts down tampering this is a strong name this is what it's constructed out of if you actually don't know this stuff and you want to private key signing 1024 bit crypto this is impossible to break it guarantees you that your author is the only person that has made the modifications to the blah blah blah protection on disk shells packers your secure application you can't get to it because it's secure there's it's not going to decompile there's a C plus plus that runs crypto that then unpacks it in memory and they'll tell you how this is impossible to break it would take the CIA a million years and here it is gray wolf spins up and here's that application that I brute forced earlier we're going to drag it in here and it works it shut down gray wolf it did not decompile it's like I don't know it's packed with something it's encrypted so that same thing okay and so gray dragon I really like it I hope you like it let me know on the internet if you do it scans through all of the processes identifies the target puts it up here and it says okay 64 bit drops us in oh wrong one okay inject into the target and as you can see it found a new process that's not net I could inject into that okay so back to injecting our payloads inside of our hard target right like you're inside of your target and it's gotten it but you don't have access to the source code and we'll spin it up we have access to our I did inject into the right application right okay I'll step back and run that one one more time just because it's really nice okay so we have our payload we inject into our target drop a target get our shim drop our payload this edits the structure inside of every single payload I put a back door that talks over a named pipe so that payload that I dropped in it now reports into another application that says why don't you run another payload because you can keep injecting multiple things if you saw my talk so you look it up you can shove as many applications together as you want just keep shoving applications together and they'll mix and they'll be in the same memory space so here's another payload we have access to all of the objects in memory and this iterates all of the source code here's the source code this is all an I L it's highly office gated but as you saw it was protected before that would shut down every single decompiler on the market but now I'm getting their I L out of memory because like I said before all of the protection falls away this gets you straight into your target no matter how they I mean they can move it down into C plus plus and they can put it in assembly if they left it in dot net you have their source code period always they'll play some games they'll try and move it but you can always hunt them down they can't hide from you as long as you put in a memory and it's touched by the processor you can get to it so that's a hardened application that's the this is impossible you can pay us a million dollars and will protect your secure application and this is the pitch like you can develop your application for a hardened one you can develop it for a friendly environment and I've done other speeches where there's trade offs every single time that you add a protection it adds a vulnerability can't be that easy of course it's that easy I'm a hacker your public private key tokens you simply stealing you put them on an erroneously signed application and at this point it is still signed by the original key and yeah it's pretty much that easy it's like the slide it just moves it over to the erroneously signed executable because Microsoft leaves the sign code checking off so they're 1024 bit crypto that's going to stop you from attacking a core windows DLL that's protected it's off by default so when that genuine Microsoft application runs calls a DLL you're inside of your target this is how you turn it on you can also add something to the manifest to turn it on so it won't load it and it'll error out however you can still do it to the executable and the system will say well it's not signed properly it's probably expired and it runs and so you're in just the same so every single one of their mechanisms is subvertable pretty easy come on Microsoft check it if you ask for a password don't tell people it's going to secure something if you're not going to check it ASM I'm not going to go into detail on this but you can run assembly code inside a dot net applications in safe code and it's really fun all you need is reflection or unmanaged calls you can drop ASM and I put this out there GAC you need to know what the GAC is this is what the GAC looks like on disk you take out desktop I&I it's a regular folder there's a bunch of GAC there's a bunch of native images that you have to destroy the GAC just goes on and this is why you need to know about the GAC when you call an executable it puts its DLLs in the GAC it then turns it into a native image you delete the native image replace it in the GAC and then hack so you destroy the native image you have your application attacking in the GAC not on disk so it is calling into the GAC it's attacking out of the GAC they whitelist they go through all of the program files there's no changes but you're attacking out of the GAC some random ass application is being attacked instead of program files and Windows GAC so it's a great place to hide an attack attacking from the same framework same idea becomes a process you infect the framework every application calls a framework and then you're in the process so you're globally in every single application on the system that runs .NET Visual Studios there's a exploit in Visual Studios to run arbitrary code and it brings up oh you downloaded this off the internet you could be in danger Will Robinson so it runs arbitrary code when you open a form that's what it does so here's an application that it ran I talked about this last year but real quick there's code inside of the constructor of a user control it runs a constructor every time you view the form and there's a payload that elevates past the UAC automatically UAC hacks all that it would automatically elevate past the UAC and then shim and attack applications inside of Microsoft those signed things that are hard to attack here's a payload that I developed to show that off something that should be hardened say PowerShell I inject into PowerShell modify PowerShell this would all be completely silent so you can imagine that the user opens the code looks at the form doesn't click run opens PowerShell and then something like this happens and of course this is fun for an office prank if it was a key logger then we would be talking about some real danger right I mean this is a great vector for doing viruses and malware because once you fuck up an application you own it you can do pretty much any viral thing you want so you're not a hacker you can defend your applications with this you can harden them you can verify your tools that you're downloading like you download my tools how do you know that I'm not screwing over your applications in your system you can look at my source code this is very defensible it's something we should do as a small part of our community for the rest of the community when you look inside you're gonna be able to take control don't be helpless all that you're gonna find that all of the keys you're gonna find passwords technology weak spots good code bad code you're gonna find out what kind of security log in you're gonna find out what kind of data leakage is happening you're gonna find out what kind of keys you're gonna find out what kind of crypto it just goes on you're gonna understand what that application does and here is air crack just because I thought I would show something positive instead of something negative so here's air crack it's just a little gooey that they threw together and bam it's prettier it's better it's a little more user friendly I can now upgrade air crack and this is something that you can use not just to attack but to make things better so your malware that's there's 1% of us that make malware how do you hide you use the same things use shells, cryptos if they call unmanaged code you break out and attack use obfuscated code signed DLL protection to make your target feel secure you wanna use intelligent names like your target coding style like your target you wanna blend in with your target you wanna do as much as you can to just look and feel as though you're the target because you're writing source code you don't have to do ugly source code make it pretty make it don't use for loops I mean these people that are hunting malware are like well they're gonna use a true so I'm just gonna look for a spinning loop and then I'll find them out or don't do it make it hard form make them work for their millions of dollars at HB Gary sells them so all the tools they're free the source code I'm gonna sell for 80 bucks or you can decompile and spend eight hours you can join and catch my beta for 80 bucks all of my new tools they're coming out constantly and you can see what's in constant development and there's a bunch of tools that I'm holding back if you join and you want specific things I'll be more inclined to make them and support the community because without community support companies come along buy this up and then sell it to you or don't sell it to you and sell it to people that aren't you so a root kit is vicious here's Windows media here's a Windows application that auto elevates when you have a shim inside of this application this is just a little take my word for it this is saying this is an administrator so this is administration this is an auto elevated application that you can inject into and do vicious things from so story time I thought that I would give a little bit of fun things from my experiences so HB Gary showed up at Black Hat he didn't come here but when he showed up at Black Hat he was presenting things like his new shirt because we all know that HB Gary pisses on anonymous, right? So he was giving away shirts and getting heckles from other vendors I mean these are corporate vendors that were heckling HB Gary at Black Hat how sweet, right? So if there's any last Q and A and if anyone wants this shirt raise your hand I didn't see any hands oh there's a hand okay, okay so that's the free stuff I hope you enjoyed this shit because I worked hard