All .NET source code (C#, VB.NET, F#, etc) is translated into Common Intermediate Language (CIL) bytecode at compile time, which is then placed into a .NET binary executable[ref]. At runtime, the bytecode is translated by the Common Language Runtime (CLR) into instructions native to the processor. The framework not only allows some interesting runtime manipulation of this process, but also allows a program to call on the compiler itself at runtime to compile .NET source code into a managed assembly for use in the program. This assembly can be written directly out to a file, or kept in memory for use via reflection.
We can use this technique to write malware removal definitions. The raw source code of the removal process is stored in the definitions file (obviously kept secure using a digital signature) and is then loaded into memory and compiled. The program then uses reflection to discover the assembly's entry point and begin execution. The code executes inside the host program's memory space and does not need a separate process.
The actual compilation code is not complex or difficult. It can be accomplished in around 20 lines of code, using the CSharpCodeProvider and CompilerParameters classes. Using reflection on the produced assembly, we can then execute the removal code. It is also trivial to pass parameters to methods in the assembly, for example the location of the infected file.
To save overhead, compiled assemblies will be cached in memory for the duration of the scan. Simple removals (kill process, delete files) have a global script that is compiled automatically when a scan begins.
No comments:
Post a Comment
Note: only a member of this blog may post a comment.