LAS VEGAS – A software engineer with a penchant for cracking .NET applications has released a new tool that makes it easier for inexperienced programmers to decompile programs themselves.
Very few applications are ever protecting themselves. It’s just not something that’s thought of because it’s a slightly new paradigm.
Jon McCoy, a .NET software engineer and consultant, released a new tool at Black Hat 2011 that makes it easier for programmers to reverse-engineer applications developed using the Microsoft .NET Framework, an exercise that can be critical to understanding an application’s weaknesses and how to defend it against attacks. McCoy unveiled the new tool during his presentation, “Hacking .NET Applications: The Black Arts” and demonstrated how it can be used to attack Microsoft Media Center on disk and provide access to its source code in less than a minute.
“Unfortunately, 90% of the market is vulnerable about to the level of Media Center,” McCoy said. “Very few applications are ever protecting themselves. It’s just not something that’s thought of because it’s a slightly new paradigm.”
The new tool, a compiler called GrayWolf, lowers the bar for entry-level programmers who want to decompile, reverse-engineer and manipulate .NET programs.
“If you can gain access to changing something in memory, you can change any program in memory and you can manipulate and control any program,” McCoy said in an interview with SearchSecurity.com. “The tool I’m releasing and the techniques I release on the .NET framework simply make it easier.”
Decompiling helps computer programs vet applications to understand Microsoft .NET application security issues, namely the applications’ underlying weaknesses and design flaws. For example, an application that stores passwords can be decompiled to determine if it employs strong encryption and other secure software development best practices. If it is riddled with potential holes, has backdoors and will likely leak any stored passwords, the decompiling process helps determine whether an application should be sent back to the developer to be improved.
GrayWolf had been in beta. This is the first time the free tool has been publicly released, McCoy said, adding that he charges $80 for access to the tool’s source code. The goal with the release, he said, is to make it as accessible to programmers as possible.
McCoy said he has talked with engineers at Microsoft about his research and they call his work a clever use of features. While the techniques McCoy demonstrated on stage target .NET applications like Microsoft Media Center by attacking them on disk, he said fundamentally they can be used on applications written in any coding language. He plans to showcase the GrayWolf tool again next week at the DEFCON 19 hacker conference.
“It’s like whittling a chair, no one can tell you exactly how to do it,” McCoy said. “It’s certainly within the bounds of laws and ethical standards.”
McCoy, who consults on how to harden .NET apps, said he hopes developers take advantage of the tool as part of the process of hardening applications and making it more difficult for an attacker to penetrate them and steal data.
“It doesn’t really help you write a better app,” McCoy said of GrayWolf. “It helps you understand how to stop other people from decompiling and getting your source code or doing bad things to your application.”