Udooz!

Erik Meijer, the man behind LINQ is now come up with a framework called “Rx Framework” which contains API those decorates LINQ2Objects as mathematics dual.  Let us see in details.

LINQ2O and Mathematics Dual

Wikipedia says “A moprhism f:A->B is a monomorphism if  f.g=g.h implies g = h. Performing the dual operation, we get the statement that g.f = h.f  implies g = h. for a morphism f: B->A. This is precisely what is means for f to be an epimorphism. In short, the property of being a monomorphism is dual to the property of being an epimorphism.”

 LINQ to Objects is set of extension methods which enables to manipulate on a IEnumerable<T>.  From a layman point of view, a collection is nothing but a data source from where we are pulling data using LINQ to Objects and/or ofcourse for…each.  From duality, this is f:A->B.

It is very common that we need to notify a data source when new items need to be added or existing item to be updated either.  The interaction is happened either sychronously, but in general asychronously.  Since, we are living in non-deterministic, disconnected programming world.

Updating a data source would be based on some user-interaction in an application through event.  Event is programming world idiom for asynchronous invocation, or if you take any non-user interaction application which is again based on “event” driven architecture.  This model is based on GoF’s observer pattern.

Observer Pattern

GoF says “Define a one-to-many dependency between objects so that when one object changes state, all its dependents are notified and updated automatically”.

The observer those want to be notified whenever the subject undergoes a change in state should attach themselves with subject.  If you take button click event, we can write one or more event handlers.  Whenever a button clicked, it sends EventArgs to its subscribed observers (event handlers).

Introducing IObservable and IObserver

Let us  come back to the actual problem.  Since, IEnumerable<T> can only be used to pull data from a data source as read-only i.e f:A->B, here A is data source and B is my IEnumerable<T>.  However If I want  f: B->A which means that I would like to send/push data from “B” to “A”.  Here, I treat the callback or event handlers as “A” and the events as “B”.  It means that I need to push data to a data source as like as IEnumerable which is for pull.

As part of Reactive Framework, Meijar introduced two interfaces IObservable<T> and IObserver<T>.  Based on observer pattern, IObservable<T> is source.  See the following figure.

The  Subscribe() method is used to register one or more IObservers for notification which is similar to Subject.Attach() in the observer pattern.  The IDisposable is .NET idiom which mimics Source.Detach().  To understand the fundamental objective of these objects think in reverse in place with IEnumerable.  To traverse through the IObservable, create an IObserver, give it to an IObservable, and the IObservable “pushes” data into the IObserver by invoking its methods.

OnNext() is used to iterate over data sources and push the argument “value”.  OnCompleted() is post-iteration handler.

An Example

Theory is enough.  Let us see an example in Silverlight 3.0.  I create a button with mouse move event which acts as IObservable and create a TextBox which acts as IObserver.  Whenver a mouse moved on the button, the textbox observer appends coordinates into TextBox.Text property.

To create a mouse move observable, I used System.Linq.Observable which is used to create IObservables.  I extend the System.Windows.Controls.Button with GetMouseMoves() which returns IObservable<Event>MouseEventArgs>> like the following:

public static class ButtonExtension
{
    public static IObservable>
      GetMouseMoves(this Button button)
    {
        return Observable.FromEvent((EventHandler genericHandler)
          => new MouseEventHandler(genericHandler),
            mouseHandler => button.MouseMove += mouseHandler,
            mouseHandler => button.MouseMove -= mouseHandler);
    }
}

 The FromEvent() overload takes three Action(s) as arguments. One to convert from a generic event handler (EventHandler) to MouseEventHandler.  Remaining two register/unregister.  For observers, I create a custom observer for handling mouse coordinates like

public class CoordinateObserver : IObserver<Event<MouseEventArgs>>
{
    public TextBox CoordinateTextBox { get; set; }
 

    #region IObserver<Event<MouseEventArgs>> Members

    public void OnCompleted()
    {

    }

    public void OnError(Exception exception)
    {

    }

    public void OnNext(Event<MouseEventArgs> value)
    {
        CoordinateTextBox.Text += (string.Format(&quot;Clicked at ({0},{1})\n&quot;,
          value.EventArgs.GetPosition(CoordinateTextBox).X,
          value.EventArgs.GetPosition(CoordinateTextBox).Y));
    }

    #endregion
}

I create an instance of CoordinateObserver and subscribes it to button’s GetMouseMoves()

rxButton.GetMouseMoves().Subscribe
  (new CoordinateObserver { CoordinateTextBox = this.rxResult });

The results would be

Download and Resources

Till now, there is no official release of Reactive Framework.  However, The Silverlight 3.0 Unit Test Framework uses this which comes as part of Silverlight 3.0 Toolkit.  Assembly Name: System.Reactive.dll, which unfortunately builds with Silverlight’s System.Core, Version=2.0.5.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e.  See the following image:

1. First download Silverlight 3.0 Toolkit and install it.
2. Extract source code from $Program Files$\Microsoft SDKs\Silverlight\v3.0\Toolkit\Jul09\Source\Source Code.zip.
3. Get the System.Reactive.dll from $Source Code Folder$\Binaries.

The full source code of the example is available at http://www.udooz.net/index.php?option=com_docman&task=doc_download&gid=5&Itemid=5.

Though it is an uncommon attack, but it highlights the backdoor of Virtual Machine such as .NET, JVM.

Rootkit is a system which consists of programs designed to hide or obscure the fact that a system has been compromised.  – Wikipedia

 .NET-Sploit is a tool which is used to build MSIL rootkit that enables the user to inject malicious behavior to the framework DLLs (See the following picture).  The only challenge for the hacker is to compromise the particular system with administrator rights.

What does it actually mean?

After the compromising a target system, a hacker can modify .NET framework DLL those are normally located in GAC by assembling and dessembling with regular .NET tools.  This approach does not need to touch .NET applications.  All the application invoke required tampered framework DLLs which will behave strangely.  For example, using the rootkit, you can always print “Hacked” message in

System.Console.WriteLine(string v)

irrespective of any string value.  Worst part is, if a hacker is tampered  “Authenticate()” in System.Web.dll and he can capture the username and password.  Ofcourse, he can send the details to someone else using SendToUrl().

What can you do with framework rootkit?

• API hooking
• Method code modification
• Method parameter manipulation
• Object member manipulation
• Exe dynamic forking
• Metada tampering
• Return value modification

How is it possible?

Manually you can attack the framework by the following steps:

1. Locate DLL in the GAC
2. Decompile the DLL (using ILDASM)
3. Modify the IL code
4. Recompile to a new DLL (new version!)
5. Bypass the GAC strong name protection (very simple than expected)
6. Override the existing DLL with new one.

 A surprising fact is GAC does not perform any additional check for verifying strong name of a DLL when coping the modified framework DLL into the actual folder path.  For example, you can modify mscorlib.dll version 2.0 and place it  into c:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089.

What is .NET-Sploit?

A generic framework modification tool to inject code.  You can download at http://www.applicationsecurity.co.il/english/NETFrameworkRootkits/tabid/161/Default.aspx.