.NET Reverse Engineering Tool Released

Very few applications are written with self-protection in mind.  It’s just not something that’s thought of because it’s still not a primary concern for most developers.  They tend to focus on application delivery deadlines since that is what keeps money in the bank and food on the table.  Jon McCoy, a .NET software engineer and consultant at DigitalBodyGuard, has released a new tool at Black Hat 2011 that makes it easier for programmers to reverse-engineer applications developed using the Microsoft .NET Framework.

Reverse engineering can be critical to understanding an application’s weaknesses and how to defend it against attacks.  McCoy demonstrated how the tool can be used to attack Microsoft Media Center on disk and provide access to its source code in less than a minute during his presentation, “Hacking .NET Applications: The Black Arts”.  “Unfortunately, 90% of the market is vulnerable to the level of Media Center,” McCoy said.  “Very few applications are ever protecting themselves.  It’s just not something that’s thought of because it’s a slightly new paradigm.”

The new tool is a compiler/decompiler called GrayWolf.  It lowers the bar for entry-level programmers who want to decompile, reverse-engineer and manipulate .NET programs.  It allows the user to gain access to and change things in memory, manipulating and controling any program. “The tool I’m releasing and the techniques I release on the .NET framework simply make it easier.”

Decompiling aids in revealing and understanding Microsoft .NET application security issues, dependancies, underlying weaknesses and design flaws.  For example, an application that stores passwords can be decompiled to determine if it employs strong encryption and other secure software development best practices.  If it is riddled with vulnerabilities, contains backdoor code, or will likely leak stored passwords, the decompiling process will make these issues apparent.

The tool itself is free, and access to the tool’s source code can be had for $80. The goal with this release is to make it as accessible to programmers as possible.  McCoy has talked with Microsoft engineers about his research and they call his work a clever use of features.  McCoy’s techniques can fundamentally be used on applications written in any coding language.  He plans to showcase the GrayWolf tool again next week at the DEFCON 19 hacker conference.

McCoy, who consults on how to harden .NET apps, hopes developers will take advantage of the tool to harden applications against attack and data theft.  Good on ya, Jon.