frameSafe

A cute byproduct of the .Net framework rootkit development that has been going on is a new little child called 'frameSafe'. The first ever (to my knowledge) framework rootkit detection kit. Currently, no research for identification is being done (but the .Net sploit packages will be detected). The base idea is to secure the set of libraries needed for the tool to run by resigning them and including them in the release (this prevents the framework based tool from being injected). Next, the tool hashes a known good set of framework dlls (prior to distribution to the world (this is the inhouse step)).

Once those .Net Framework dll's are hashed and signed, the hashes are then placed in a descriptive manifest along with dll version number, and whether or not a native DLL should exist in the non JIT native images location. The ILASM output of the dll is also hashed and signed into this manifest. Now we have a hashed/signed snapshot of the framework assemblies and layout. The tool can then be used to scan for changes in the framework, and if detected - do a comparison of the current IL and the stored(good) IL. This will get us a snippet of ASM that can help us in determining the version of a specific infection (within reason).

So that's it, expect a release of the first version to sourceforge in a week or so.