Summary:
Checkpoint has released details on a malware analysis technique using .NET managed hooking via the Harmony library.

For malware researchers, analysts, or reverse engineers, Checkpoint says the ability to alter the functionality of certain parts of code is a crucial step. Manipulating processes for code execution works well for non-managed native code, but becomes more challenging when dealing with managed code. By altering the functionality of managed code, specifically for applications that run on top of .NET, Checkpoint says the open-source library Harmony is the best option.

Harmony is an open source library for patching, replacing, and decorating .NET methods during runtime. “In some cases, it is possible to use other specific libraries and frameworks to modify the code of .NET Assemblies with direct patching or a complete rebuild of those files on disk, but such a solution is not always feasible. It becomes even less so as the logic of the original code becomes more fragile and sophisticated” (Checkpoint, 2024). Modifying code logic in memory during runtime, can help researchers dealing with protected and obfuscated malware samples, in which touching the disk could destroy the original structure, cause undesirable behavior, or change or create a loss of functionality.

Specifically, the researchers are using a technique to combine debugging and hooking using the Harmony library, which helps them bypass some obfuscated protections put in place by malware developers, including the common ConfuserEX2 obfuscator.

Security Officer Comments:
In their article, Checkpoint shows examples of using .NET hooking using the Harmony library and it’s internals to bypass malware obfuscation techniques. Checkpoints says their examples demonstrate how powerful .NET hooking can be and more importantly, how easy and straightforward it is to implement .NET instrumentation with the Harmony library.

“One of the main advantages of the .NET hooking is that it operates only on in-memory code, so it does not touch the files on disk in any way. This comes in very handy, especially in cases where we are dealing with dotnet malware protected by an obfuscator in a way that the deobfuscation via .NET Assembly rebuilding is time-consuming and needs to be done very carefully so as not to destroy the original structure, which can later lead to a complete loss of functionality” (Checkpoint, 2024). Checkpoint says an additional advantage to this technique is that it is not limited to the scope of one specific .NET Assembly, and can be used to alter all reference assemblies, even those that come with and build the .NET Runtime.

Checkpoints says their article which focuses on the basics of .NET hooking can help readers learn more about how to construct a shortcut for malware analysis in .NET Instrumentation, Tracing, and Deobfuscation.

Link(s):
https://research.checkpoint.com/2024/net-hooking-harmonizing-managed-territory/