[Full-disclosure] [Tool] ReFrameworker 1.1
tbiehn at gmail.com
Tue Apr 20 16:54:05 BST 2010
Awesome. A+ ruin.
2010/4/19 Erez Metula <erezmetula at appsec.co.il>:
> Hi all,
> I'm happy to announce about a new version of ReFrameworker V1.1 !
> ReFrameworker is a general purpose Framework modifier, used to reconstruct
> framework Runtimes by creating modified versions from the original
> implementation that was provided by the framework vendor. ReFrameworker
> performs the required steps of runtime manipulation by tampering with the
> binaries containing the framework's classes, in order to produce modified
> binaries that can replace the original ones.
> It was developed to experiment with and demonstrate deployment of MCR
> (Managed Code Rootkits) code into a given framework. MCR is a special type
> of malicious code that is deployed inside an application level virtual
> machine such as those employed in managed code environment frameworks –
> Java, .NET, Dalvik, Python, etc..
> Having the full control of the managed code VM allows the MCR to lie to the
> upper level application running on top of it, and manipulate the application
> behavior to perform tasks not indented originally by the software developer.
> ReFrameworker was demonstrated (in his former incarnation as ".NET-Sploit")
> at BlackHat, Defcon, RSA, OWASP and other places. The new version will be
> demonstrated this week at SOURCE Boston conference, for the first time.
> More information on ReFrameworker and MCR will be available with the soon to
> be published book "Managed Code Rootkits", by Syngress publishing.
> Among its features:
> - Performs all the required steps needed for modifying framework binaries
> (disassemble, code injection, reassemble, precompiled images cleaning, etc.)
> - Fast development and deployment of a modified behavior into a given
> - Auto generated deployers
> - Modules: a separation between general purpose "building blocks" that can
> be injected into any given binary, allowing the users to create small pieces
> of code that can be later combined to form a specific injection task.
> - Can be easily adapted to support multiple frameworks by minimal
> configuration (currently comes preconfigured for the .NET framework)
> - Comes with many "preconfigured" proof-of-concept attacks (implemented as
> modules) that demonstrate its usage that can be easily extended to perform
> many other things.
> ReFrameworker, as a general purpose framework modification tool, can be used
> in other contexts besides security such as customizing frameworks for
> performance tuning, Runtime tweaking, virtual patching, hardening, and
> probably other usages - It all depends on what it is instructed to do.
> It can be downloaded from here:
> Erez Metula
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C
Full-Disclosure is hosted and sponsored by Secunia.