Wednesday, 24 June 2015

Some Notes on Identifying VB.Net Compiled Assemblies

I've been looking at .NET based keyloggers/infostealers lately as I've seen an increase in samples being delivered via phishing emails. One thing that I've noticed was that a lot of the samples shared similar functionality, looked to directly copy core functions or were simply re-factored versions being passed as 'new' keyloggers.

Looking at some analysis's online though would describe samples I would be tracking as VisualBasic as C# and vice versa. This was confusing with samples I was tracking as being copied from another variant as I expected them be the same source language.

I started looking at how VisualBasic and C# are compiled and if you could determine the source language of a .NET assembly. The following examples are simple 'Hello World' applications written in C# and VisualBasic.



With the exception of the string content we can see that the IL instruction set is identical in both the C# and VisualBasic assemblies.


If we expand this to include all of the sample assemblies instructions we do see a difference within the exception clause. In the VisualBasic IL there are two additional instructions that have been added.

  • Dup - (Duplicate the value on the top of the stack.)
  • Call SetProjectError



The setProjectError method is described as:

This API supports the .NET Framework infrastructure and is not intended to be used directly from your code.The Visual Basic compiler uses this helper method to capture exceptions in the Err object.

Looking for information on the setProjectError method I came across a post on the microsoft.public.dotnet.languages.vb list where Niklas from the complier team replied "The extra two calls are there to support the 'On Error' language feature which was retained to make it easier to upgrade from VB6 to VB.NET..."

This gives an indicator when looking at IL if it was generated using the VisualBasic compiler (vbc.exe). Within the catch clause the compiler will emit setProjectError and depending on the logic ClearProjectError. We don't see the second call in the example as the exception is thrown.

To test this I decompiled the VisualBasic compiled application and exported the IL as C#. Looking at the generated C# code there is the call to SetProjectError and a reference to Microsoft.VisualBasic.CompilerServices. If the source code was generated from IL compiled using the C# compiler, we would see 'throw exception;' with no reference to the SetProjectData method.



Another potential indicator that can be used to identify a VisualBasic compiled assembly is the inclusion of the class StandardModuleAttribute which is documented as:

This class provides attributes that are applied to the standard module construct when it is emitted to Intermediate Language (IL). It is not intended to be called directly from your code.

VB.NET modules identical to a class with only shared members. When looking at emitted IL the module is compiled as a sealed class and that there is an additional reference to StandardModuleAttribute.



Generally determining the source language isn't needed when examining .NET malware as the assembly will have identical functionality. But it can be helpful when tracking evolution or variants of malware samples. The VisualBasic compiler (vbc.exe) will emit a number of instructions which are specific to VisualBasic compiled assemblies.

There are a number of other additional attributes which are generally specific to VisualBasic assemblies that can also be used as indicators such as the use of the My Feature and a number of other classes referenced within the CompilerServices Namespace.

Although these are specific to VisualBasic, C# applications could still reference functionality within VisualBasic namespaces. Obfuscation may also cloud the inclusion of these and isn't something I've looked into, but as they are references to the framework they should still be evident in samples. 



References 

  • https://en.wikipedia.org/wiki/List_of_CIL_instructions
  • https://msdn.microsoft.com/en-us/library/Microsoft.VisualBasic.CompilerServices(v=vs.110).aspx
  • https://msdn.microsoft.com/en-us/library/s4kbxexc.aspx
  • http://discuss.joelonsoftware.com/default.asp?dotnet.12.353213.14

11 comments:

  1. You should explore 5 reasons you need mobilespy app | dragonblogger where experienced users discuss on using spying apps.

    ReplyDelete
    Replies
    1. Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging. If anyone wants to become a .Net developer learn from Dot Net Training in Chennai. or learn thru ASP.NET Essential Training Online . Nowadays Dot Net has tons of job opportunities on various vertical industry.

      Delete
  2. Idioms are always interesting and amusing because of their symbolic meanings but some idioms are really tough to understand.

    Thank you,
    Freya, UK
    http://idioms.in/

    ReplyDelete
  3. Thanks for sharing, nice post!

    Chương trình tuyển cộng tác viên bán quần áo trẻ em lương cao tại nhà và tuyển cộng tác viên bán mỹ phẩm online tphcm, dịch vụ nhận đặt mua bánh kẹo mỹ xách tay uy tín tại Hà Nội và TP.HCM, tổng hợp những link quần áo trẻ em taobao độc đẹp chất lượng giá rẻ nhất, hay mua hàng trên aliexpress có uy tín không và dịch vụ nhận đặt mua hàng hộ trên aliexpress về Việt Nam uy tín, hay giải thích làm sao để mua hàng trên aliexpress ship về Việt Nam an toàn nhất hay dịch vụ mua hàng trên aliexpress có tốt không.

    ReplyDelete
  4. The blog gave me idea to Identifying VB.Net Compiled Assemblies My Sincere thanks for sharing this post
    Dot Net Training in Chennai

    ReplyDelete
  5. really you have posted an informative blog. it will be really helpful to many peoples. thank you for sharing this blog. before i read this blog i didn't have any knowledge about this. but now i got some knowledge.
    dotnet training in chennai

    ReplyDelete
  6. nice blog have been shared by you. this will be really helpful to the peoples who are all working under the technology. so keep on sharing such kind of an interesting blogs.
    dot net training in chennai

    ReplyDelete
  7. Great post and informative blog.it was awesome to read, thanks for sharing this great content to my vision.
    Good discussion.
    Six Sigma Training in Abu Dhabi
    Six Sigma Training in Dammam
    Six Sigma Training in Riyadh

    ReplyDelete
  8. I just needed to record a speedy word to express profound gratitude to you for those magnificent tips and clues you are appearing on this site.\
    best safety course in chennai

    ReplyDelete
  9. I wish to indicate because of you only to bail me out of this specific trouble. As a consequence of checking through the net and meeting systems that were not beneficial, I thought my life was finished.
    industrial course in chennai

    ReplyDelete