.NET
Matthew Conover
May 2002
What is .NET?
• .NET = dumb name
• .NET is a framework
• .NET is OS and platform independent
• .NET is language-insensitive
• .NET specs are publicly available
Topics of Discussion
• Introduction to .NET
• Assemblies and Metadata
• Microsoft’s implementation of .NET
• .NET Hook Library (dotNetHookLibrary)
3
Introduction to .NET
• .NET Specifications
– Partition I – Architecture
– Partition II – Metadata
– Partition III – Common Intermediate Language
– Partition IV – Library
– Partition V – Annexes
– Class Library (XML specification)
Introduction to .NET
• Base Class Library (BCL)
– Shared among all languages
• Common Language Runtime (CLR)
– Hosts managed code
5
Introduction to .NET
Base Class Library
• Similar to Java’s System namespace.
• Used by all .NET applications
• Has classes for IO, threading, database, text, graphics,
console, sockets/web/mail, security, cryptography,
COM, run-time type discovery/invocation, assembly
generation
6
Introduction to .NET
• Common Language Runtime (CLR)
– Common Type System (CTS)
– Execution Engine (EE)
Introduction to .NET
Common Language Runtime
• Common Type System
– Specifies certain types required to be hosted by CLR
– Specifies rules for class, struct, enums, interface, delegate,
etc.
– Everything is actually an object
8
Introduction to .NET
Common Language Runtime
• Execution Engine
– Compiles Microsoft Intermediate Language (MSIL) into
native code
– Handles garbage collection
– Handles exceptions
– Enforces code access security (sandbox)
– Handles verification
• Managed v. Unmanaged
9
Introduction to .NET
Assembly
BCL Class Loader External Assembly
JIT
CLR
Machine Code
10
Assemblies
• .NET Library/Executable (PE file format)
• Single-file or multi-file assemblies
• Modular design
– Eliminates DLL problems
– Locations resolved at runtime
• Components:
– Metadata
– MSIL (or native) code
1
Assemblies
Physical Layout
Single-file Assembly
MSDOS Header
PE Header
PE Section Headers Includes .NET Header
Code section .text (includes Metadata)
Data section .rsrc or .data
Relocations section .reloc or .rdata
1
Assemblies
• .NET Executable (PE file format)
• Single-file or multi-file assemblies
• Modular design
• Components:
– Metadata
– MSIL (or native) code
13
Assemblies
Metadata
• Contains all .NET application data
• Very revealing!
– Needed for MSIL compilation
– Assembly can be converted to native format
• Streams or heaps (sections of related data)
1
Assemblies
Metadata
Signature, Version, Flags
Metadata Header
Stream count (n)
Data offset
Stream size Stream Header 1
Name (variable length)
… Stream Header n
… Stream bodies 1-n
15
Assemblies
Streams
• #Strings (a.k.a. strings heap)
– Array of strings
• #US (a.k.a. user strings heap)
– Array of strings used by application at runtime
• #GUID
– Array of GUIDs (16 bytes each)
• #Blob
– Contains compressed binary data
• #- or #~
– Contains tables of methods, fields, etc.
16
Assemblies
#~ and #- Stream
Version
Heap sizes Tables Header
Valid tables (n)
Table row count Valid Table 1
… Valid Table n
… Tables 1-n
1
Assemblies
Tables in #~/#- Stream
• In a predefined order
– MethodDef = table 6
– Param table = table 8
• Each table contains specific types
– MethodDef = method definitions
– TypeDef = type definitions
– AssemblyRef = assemblies references
• Tables interact with each other
• Tables interact with certain heaps
18
Assemblies
Sample - MethodDef Table
Relative Virtual Address (RVA) Offset to method
Implementation flags
Method flags
Method name offset In #Strings
Method signature offset In #Blob
Parameters index In Param table
19
Assemblies
Sample - MethodDef Table
Param Table
Flags
Sequence number
Parameter name offset In #Strings
Method Signature Blob
Flags
Parameter count
Return type
Parameter types 20
Assemblies
Sample - func(int arg)
MethodDef Param
func arg
… #Strings …
“func”
“arg”
…
#Blob
func method signature
arg type signature
…
2
Assemblies
• .NET Executable (PE file format)
• Single-file or multi-file assemblies
• Components:
– Metadata
– MSIL (or native) code
2
Assemblies
MSIL
• Pseudo-assembly
– Converted into native code
– Object “aware” intermediate language
– Examples: nop, break, ret, call, callvirt, newobj, newarr, add, mul, xor,
arglist, sizeof, throw, catch, dup
• Supports up to 512 opcodes
– 0xFE = first byte of two byte opcodes
• All calls are stack-based
23
Assemblies
Call Stack
MSIL
C#
ClassType a; ldc.i4.1
`
a.func(1, 2) ldc.i4.2
call ClassType::func(Int32, Int32)
1
2
this pointer
Stack top
Left-to-right ordering
2
Assemblies
• Sample IL
25
Assemblies
MSIL
ldc.i4.s 9 MSIL 0x1f 0x09
call Print(Int32) Assembler 0x28 0x06000006
Method token
• Uses “tokens” instead of pointers
26
Assemblies
Tokens
• A replacement for pointers
• References a row in a table
Token
Table Number Row Index
Upper 8 bits Lower 24 bits
2
Assemblies
MSIL Samples
• ld = load on stack, st = store from stack
• stloc
– Stores a value from the stack into local variable
• ldarg
– Puts an argument on the stack
• ldelem
– Puts the value of an element on the stack
28
Microsoft’s .NET Implementation
• File locations
• System libraries
• .NET application flow
29
Microsoft’s .NET Implementation
File Locations
• Framework: %SystemRoot%\Microsoft.NET
• Global Assembly Cache (GAC):
%SystemRoot%\Assembly +
– \GAC
– \NativeImages*
30
Microsoft’s .NET Implementation
• File locations
• System libraries
• .NET application flow
3
Microsoft’s .NET Implementation
System Libraries
• mscoree.dll (execution engine)
• mscorwks.dll (does most initialization)
• mscorjit.dll (contains JIT)
• mscorlib.dll (BCL)
• fusion.dll (assembly binding)
3
Microsoft’s .NET Implementation
System Libraries
mscoree.dll
mscorwks.dll
fusion.dll mscorlib.dll mscorjit.dll
33
Microsoft’s .NET Implementation
• File locations
• System libraries
• .NET application flow
3
Microsoft’s .NET Implementation
.NET Application Flow
Application mscoree.dll
Entry point _CorExeMain
Main
mscorwks.dll
_CorExeMain
CoInitializeEE
35
Microsoft’s .NET Implementation
.NET Application Flow
• Jumps to _CorExeMain (mscoree)
• Calls _CorExeMain in mscorwks.dll
• _CorExeMain calls CoInitializeEE
• CoInitializeEE calls:
– EEStartup
– ExecuteEXE
36
EEStartup
• GCHeap.Initialize
• ECall.Init
– SetupGenericPInvokeCalliStub
– PInvokeCalliWorker
• NDirect.Init
• UMThunkInit.UMThunkInit
• COMDelegate.Init
• ExecutionManger.Init
• COMNlsInfo.InitializeNLS
3
EEStartup (cont.)
• Security::Start
• SystemDomain.Init
• SystemDomain.NotifyProfilerStartup (ICorProfiler)
• SystemDomain.NotifyNewDomainLoads
• SystemDomain.PublishAppDomainAndInformDebugger (ICorPublish/ICorDebug)
38
SystemDomain.Init
• LoadBaseSystemClasses
• SystemDomain.CreatePreallocatedExceptions
39
LoadBaseSystemClasses
• SystemDomain.LoadSystemAssembly
– Loads mscorlib.dll
• Binder::StartupMscorlib
• Binder::FetchClass(OBJECT)
• MethodTable::InitForFinalization
• InitJITHelpers2
• Binder::FetchClass(VALUE)
• Binder::FetchClass(ARRAY)
40
LoadBaseSystemClasses
• Binder.FetchType(OBJECT_ARRAY)
• Binder.FetchClass(STRING)
• Binder.FetchClass(ENUM)
• Binder.FetchClass(ExceptionClass)
• Binder.FetchClass(OutOfMemoryExceptionClass)
• Binder.FetchClass(StackOverflowExceptionClass)
4
LoadBaseSystemClasses
• Binder.FetchClass(ExecutionEngineExceptionClass)
• Binder.FetchClass(DelegateClass)
• Binder.FetchClass(MultiDelegateClass)
4
.NET Application Flow
• Jumps to _CorExeMain (mscoree)
• Calls _CorExeMain in mscorwks.dll
• _CorExeMain calls CoInitializeEE
• CoInitializeEE calls:
– EEStartup
– ExecuteEXE
43
ExecuteEXE
• StrongNamesignatureVerification
– In mscorsn.dll
• PEFile::Create
– Loads executable
• ExecuteMainMethod
• FusionBind.CreateFusionName
• Assembly.ExecuteMainMethod
4
ExecuteMainMethod
• Thread.EnterRestrictiedContext
• PEFile::GetMDImport
• SystemDomain.SetDefaultDomainAttributes
– Sets entry point
• SystemDomain.InitializeDefaultDomain
• BaseDomain.LoadAssembly
45
ExecuteEXE
• StrongNamesignatureVerification
– In mscorsn.dll
• PEFile::Create
– Loads executable
• ExecuteMainMethod
• FusionBind.CreateFusionName
• Assembly.ExecuteMainMethod
46
Assembly.ExecuteMainMethod
• Assembly::GetEntryPoint
• ClassLoader::ExecuteMainMethod
– EEClass:FindMethod(entry point token)
4
EEClass.FindMethod
• ValidateMainMethod
• CorCommandLine.GetArgvW
• MethodDesc.Call
– MethodDesc.IsRemotingIntercepted
– MethodDesc.CallDescr calls MethodDesc.CallDescrWorker
– CallDescrWorker calls Main()
48
.NET Application
• Main() needs to be compiled
• Main() calls PreStubWorker (mscorwks)
• PreStubWorker
– Compiles all MSIL methods
– Calls MethodDesc.DoPrestub
49
MethodDesc.DoPrestub
• MethodDesc.GetSecurityFlags
• MethodDesc.GetUnsafeAddrofCode
• MethodDesc.GetILHeader
• MethodDesc.GetRVA
• COR_DECODE_METHOD
– Decode tiny/fat format
• Security._CanSkipVerification
50
MethodDesc.DoPrestub (cont.)
• EEConfig.ShouldJitMethod
• MakeJitWorker
– JITFunction
5
JITFunction
• ExecutionManager::GetJitForType
– EEJitManager::LoadJIT
– Loads mscorjit.dll (in LoadJIT)
– Calls getJit in mscorjit (in LoadJIT)
• CallCompileMethodWithSEHWrapper
– Debugger.JitBeginning
– CILJit.compileMethod
– Debugger.JitComplete
5
CILJit.compileMethod
• Calls jitNativeCode
• jitNativeCode
– Compiler.compInit
– Compiler.compCompile
53
Compiler.compCompile
• Compiler.eeGetMethodClass
• Compiler.eeGetClassAttribs
• emitter.emitBegCG
• Compiler.eeGetMethodAttribs
• Compiler.comptInitDebuggingInfo
• Compiler.genGenerateCode
• emitter.emitEndCG
5
Compiler.genGenerateCode
• emitter.emitBegFN
• Compiler.genCodeForBBlist
• Compiler.genFnProlog
• Compiler.genFnEpilog
• emitter.emitEndCodeGen
• Compiler.gcInfoBlocKHdrSave
• emitter.emitEndFN
55
.NET Hook – What It Is
• An API for hooking .NET assemblies
• Includes a sample application that will insert a NOP into
all “interesting” methods
56
.NET Hook – What It Does
• Reads through method table
• Reads method
– Parses header, code, EH data
• Hooks interesting functions
– Inserts hooked code at front of method
– Stored at the end of the .text section
• Updates PE and section headers
• Changes function RVAs in Metadata
5
.NET Hook - API
• Load(string AssemblyName)
• Hook(HookedFunction Function)
• Save()
58
.NET Hook - Hook
• Specifies a callback function
• Callback function receives a HookedFunction
59
.NET Hook - HookedFunction
• Name (I.e., “Main”)
• FullName (I.e., “void Class1::Main(string[] args”)
• DeclaringTypeName (I.e., “Class1”)
• ReturnType (I.e., “void”)
• Parameters[] (includes name and type)
• Header[] and HeaderSize
• Code[] and CodeSize
• EHData[] and EHSize
60
.NET Hook
Hooked Assembly
.text section
Functions
Metadata References both
Import Address Table End of old
.text section
Hooked Functions
End of new
.text section
6
Assemblies
Hooked Method
MethodDef table entry
RVA Original method
Implementation flags Hooked method
Method flags
Method name offset
Signature offset
Parameters index
6
.NET Hook
Tiny Method Body
• Header size = 1 byte
• Used when:
– Code size < 64 bytes
– Maximum stack size is less than 8
– The method has no local variables
– No exceptions
Header (flags and code size)
Method body (MSIL)
63
.NET Hook
Hooked Tiny Method
Header (flags and code size) Updated
Hooking code (MSIL) Inserted
Method body (MSIL)
6
.NET Hook
Fat Method
Header size = 12 bytes
Flags
Header size
Max. stack size
Code size
Local var. signature Describes local variables
Method body (MSIL)
Extra data sections Currently only used for exceptions
65
.NET Hook
Hooked Fat Method
Flags
Header size
Max. stack size
Code size Updated
Local var. signature
Hooking code (MSIL) Inserted
Method body (MSIL)
Extra data sections Updated
66
.NET Hook Demo
6
.NET Hook - Next Steps
• Better type handling
• Don’t break exception handling
• More developers needed
68
Summary
• .NET Framework is made up of BCL & CLR
• .NET applications stored in assemblies
• .NET Hook manipulates assemblies
• Assemblies contain Metadata & MSIL code
• Metadata contains streams
• The #~/#- stream contains tables
• Tables contain the important stuff
69
More Information
• .NET Specifications:
– http://msdn.microsoft.com/net/ecma
• SSCLI and .NET Framework SDK
– http://msdn.microsoft.com/netframework/
• .NET Hook
– http://dotnethook.sourceforge.net
70
Acknowledgements
• Entercept’s Ricochet Team
– http://www.entercept.com/ricochet
• w00w00
– http://www.w00w00.org
7