Sunday, July 14, 2024

R2R Stomping – New Method to Run the Hidden Code in Binaries

Your perceived reality can differ from the .NET code you observe in debuggers like dnSpy, raising questions about its behavior beyond debugging.

Enhance .NET app startup and latency by using ReadyToRun (R2R) format for AOT compilation, creating larger binaries with both IL code and native versions for improved performance.

CheckPoint researchers recently unveiled a novel method to execute hidden code in ReadyToRun (R2R) .NET binaries by altering the IL code to diverge from pre-compiled native code, leveraging .NET optimization.

R2R stomping

Originally Microsoft’s, the Dotnet framework is now open-source and cross-platform, supporting languages like C#, F#, VB.NET, and PowerShell. It began with Windows-only closed-source in 2002, but in 2004 the open-source “Mono Project” emerged. 

Microsoft later introduced its own open-source version, .NET Core (2016), evolving into .NET 5 (2020). This research targets .NET Core 3.0+ to .NET 5+ due to the ReadyToRun format.

The traditional .NET assemblies rely on JIT for code execution, causing latency. As dotnet usage grows, solutions focus on reducing JIT reliance and improving startup times through ahead-of-time (AOT) compilation.

Here below, we have mentioned all the primary formats of AOT compilation:-

  • NGEN
  • ReadyToRun
  • Native AOT

ReadyToRun (R2R) compiled assemblies include both IL code and native code, conforming to CLI format enriched with a “ManagedNativeHeader” pointing to a “READYTORUN_HEADER” with the signature “0x00525452,” distinguishing them from other CLI images.

ReadyToRun header structure
ReadyToRun header structure (Source – CheckPoint)

R2R stomping alters R2R binaries to make IL code differ from pre-compiled native code, prioritizing native execution. 

However, managed debuggers like dnSpy/dnSpyEx have different optimization settings, leading to distinct code execution, and this method is similar to VBA stomping in MS Office.

R2R Stomping

R2R stomping modifies assembly code to make method IL behavior differ from pre-compiled native code.

Here below, we have mentioned the modification methods:-

  • Compile real – Replace with decoy
  • Compile decoy – Replace with real

Most researchers analyze dotnet assembly at the IL or decompiled C# code level, often using tools like dnSpy/dnSpyEx. However, R2R stomped assembly analysis requires delving deeper into native code.

The R2R stomped assembly analysis demands a unique approach and toolset compared to standard dotnet assembly analysis, with various tools serving specific tasks.

Here, these specific tasks are divided into:-

  • Parsing the ReadyToRun assembly structure (R2RDump, dotPeek)
  • Showing the IL code and interpreted decompiled C# code (ILSpy, dnSpyEx, dotPeek)
  • Locating and disassembling the pre-compiled native code (R2RDump, ILSpy)

Detecting ReadyToRun compilation is straightforward, whether manually or with tools like dotPeek or ILSpy, which can also handle dotnet bundle file formats.

Detection of R2R assembly
Detection of R2R assembly (Source – CheckPoint)

While static, automated detection for production isn’t available, behavioral-based detection remains unaffected by R2R stomping.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.


Latest articles

mSpy Data Breach: Millions of Customers’ Data Exposed

mSpy, a widely used phone spyware application, has suffered a significant data breach, exposing...

Advance Auto Parts Cyber Attack: Over 2 Million Users Data Exposed

RALEIGH, NC—Advance Stores Company, Incorporated, a prominent commercial entity in the automotive industry, has...

Hackers Using ClickFix Social Engineering Tactics to Deploy Malware

Cybersecurity researchers at McAfee Labs have uncovered a sophisticated new method of malware delivery,...

Coyote Banking Trojan Attacking Windows Users To Steal Login Details

Hackers use Banking Trojans to steal sensitive financial information. These Trojans can also intercept...

Hackers Created 700+ Fake Domains to Sell Olympic Games Tickets

As the world eagerly anticipates the Olympic Games Paris 2024, a cybersecurity threat has...

Japanese Space Agency Spotted zero-day via Microsoft 365 Services

The Japan Aerospace Exploration Agency (JAXA) has revealed details of a cybersecurity incident that...

Top 10 Active Directory Management Tools – 2024

Active Directory Management Tools are essential for IT administrators to manage and secure Active...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles