Post on 02-Jun-2018
transcript
8/10/2019 Synapseindia Dot Net Development-Implementation
1/53
1
Dot NET Implementation
8/10/2019 Synapseindia Dot Net Development-Implementation
2/53
8/10/2019 Synapseindia Dot Net Development-Implementation
3/53
8/10/2019 Synapseindia Dot Net Development-Implementation
4/53
4
Introduction to .NET
.NET CLI specifications (ECMA)
Partition IArchitecture
Partition IIMetadata
Partition IIICIL
Partition IVLibrary
Partition VAnnexes
Class Library (XML specification)
8/10/2019 Synapseindia Dot Net Development-Implementation
5/53
5
Introduction to .NET
Base Class Library (BCL)
Shared among all languages
Common Language Runtime (CLR) Common Type System (CTS)
Common Language Specification (CLS)
Execution Engine
8/10/2019 Synapseindia Dot Net Development-Implementation
6/53
8/10/2019 Synapseindia Dot Net Development-Implementation
7/53
7
Common Language Runtime
Common Type Specification
Specifies certain types required to be hosted by CL
Specifies rules for class, structure, enumeration,interfaces, delegates, etc.
Everything is actually an object
8/10/2019 Synapseindia Dot Net Development-Implementation
8/53
8
Common Language Runtime
Execution Engine
Handles object layout/references
Handles garbage collection Managed heap
Enforces code access security
Handles verification
Safe methods can only do safe things
Compiles MSIL (bytecode) into native code
8/10/2019 Synapseindia Dot Net Development-Implementation
9/53
9
Common Language Runtime
BCL
Assembly
Class Loader
JIT
Machine Code
External Assembly
Execution Engine
8/10/2019 Synapseindia Dot Net Development-Implementation
10/53
10
Assemblies
Single-file or multi-file assemblies
Components:
Manifest
Metadata
MSIL (or native) code
Resources
8/10/2019 Synapseindia Dot Net Development-Implementation
11/53
11
Manifest
Defines assembly
Strong name
Files in the assembly
Type references
Referenced assemblies
8/10/2019 Synapseindia Dot Net Development-Implementation
12/53
12
Metadata
Contains all .NET data
Streams
#Strings #Blob
#GUID
#US
#- or #~ Tables (stored in #- or #~)
In a predefined order
I.e., MethodDef, AssemblyRef, Constant
8/10/2019 Synapseindia Dot Net Development-Implementation
13/53
13
Metadata
Signature, Version, Flags
Stream count Metadata Header
Data offset
Stream size
Name
Stream Header 1
Stream bodies
Stream Header 2
8/10/2019 Synapseindia Dot Net Development-Implementation
14/53
14
#~ and #- Stream
Version
Heap sizes
Valid tables
Sorted tables
Tables Header
Table row count Valid Table 1
Valid Table 2
Table bodies
8/10/2019 Synapseindia Dot Net Development-Implementation
15/53
15
MethodDef Table (0x06)
RVA
Implementation flags
Method flags
Method name Offset into #Strings
Signature
Parameters
Offset into #Blob
Index into Param table (0x08)
Offset to method
8/10/2019 Synapseindia Dot Net Development-Implementation
16/53
16
MethodDef Table (0x06)
Flags
Sequence number
Parameter name Offset into #Strings
Flags
Parameter count
Return type
Parameter types
Signature Blob
Param Table (0x08)
8/10/2019 Synapseindia Dot Net Development-Implementation
17/53
17
MSIL
Pseudo-assembly
nop, break, ret, call, callvirt, newobj, newarr, add, mulxor, arglist, sizeof, throw, catch, dup
0xFE = first byte of two byte opcodes
Uses tokens instead of offsets/pointers
All calls are stack based
this pointer passed as first argument Arguments passed left-to-right by default
varargs passes an extra signature
8/10/2019 Synapseindia Dot Net Development-Implementation
18/53
8/10/2019 Synapseindia Dot Net Development-Implementation
19/53
8/10/2019 Synapseindia Dot Net Development-Implementation
20/53
20
MSIL Samples
Ldloc
Puts value on stack from a local variable
Ldarg Puts an argument on the stack
Ldlen
Puts the length of an array on the stack
Ldelem Puts the value of an element on the stack
Ld*a
Puts the address of something on the stack
8/10/2019 Synapseindia Dot Net Development-Implementation
21/53
21
MSIL Samples (cont.)
Brtrue
Branch to target if value on stack is true
Dup Duplicate a value on the stack
Ldnull
Puts a null value on the stack
8/10/2019 Synapseindia Dot Net Development-Implementation
22/53
22
Microsofts .NET Implementation
%SystemRoot%\Microsoft.NET
%SystemRoot%\Assembly +
\GAC
\NativeImages*
8/10/2019 Synapseindia Dot Net Development-Implementation
23/53
23
System Libraries
mscoree.dll (execution engine)
mscorjit.dll (contains JIT)
mscorsn.dll (strong name)
mscorlib.dll (BCL)
fushion.dll (assembly binding)
8/10/2019 Synapseindia Dot Net Development-Implementation
24/53
24
.NET Application
Jumps to _CorExeMain (mscoree)
Calls _CorExeMain in mscorwks.dll
_CorExeMain calls CoInitializeEE
CoInitializeEE calls:
EEStartup
ExecuteEXE
8/10/2019 Synapseindia Dot Net Development-Implementation
25/53
25
EEStartup
GCHeap.Initialize
Managed heap = Doug Leas malloc?
ECall.Init SetupGenericPInvokeCalliStub
PInvokeCalliWorker
NDirect.Init
UMThunkInit.UMThunkInit COMDelegate.Init
ExecutionManger.Init
COMNlsInfo.InitializeNLS
8/10/2019 Synapseindia Dot Net Development-Implementation
26/53
26
EEStartup (cont.)
Security::Start
SystemDomain.Init
Loads BCL
SystemDomain.NotifyProfilerStartup
SystemDomain.NotifyNewDomainLoads
SystemDomain.PublishAppDomainAndInfor
mDebugger (ICorPublish/ICorDebug)
8/10/2019 Synapseindia Dot Net Development-Implementation
27/53
27
SystemDomain.Init
LoadBaseSystemClasses
SystemDomain.CreatePreallocatedExceptions
8/10/2019 Synapseindia Dot Net Development-Implementation
28/53
28
LoadBaseSystemClasses
SystemDomain.LoadSystemAssembly
Loads mscorlib.dll
Binder::StartupMscorlib Binder::FetchClass(OBJECT)
MethodTable::InitForFinalization
InitJITHelpers2 Binder::FetchClass(VALUE)
Binder::FetchClass(ARRAY)
8/10/2019 Synapseindia Dot Net Development-Implementation
29/53
29
LoadBaseSystemClasses
Binder.FetchType(OBJECT_ARRAY)
Binder.FetchClass(STRING)
Binder.FetchClass(ENUM)
Binder.FetchClass(ExceptionClass)
Binder.FetchClass(OutOfMemoryExceptionClass
) Binder.FetchClass(StackOverflowExceptionClass
)
8/10/2019 Synapseindia Dot Net Development-Implementation
30/53
30
LoadBaseSystemClasses
Binder.FetchClass(ExecutionEngineException
Class)
Binder.FetchClass(DelegateClass)
Binder.FetchClass(MultiDelegateClass)
8/10/2019 Synapseindia Dot Net Development-Implementation
31/53
31
.NET Application (review)
Jumps to _CorExeMain (mscoree)
Calls _CorExeMain in mscorwks.dll
_CorExeMain calls CoInitializeEE
CoInitializeEE calls:
EEStartup
ExecuteEXE
8/10/2019 Synapseindia Dot Net Development-Implementation
32/53
8/10/2019 Synapseindia Dot Net Development-Implementation
33/53
8/10/2019 Synapseindia Dot Net Development-Implementation
34/53
34
BaseDomain.LoadAssembly
BaseDomain.ApplySharePolicy
AssemblySecurityDescriptor.Init
Module.Create
BaseDomain.SetAssemblyManifestModule
AssemblySecurityDescriptor.AddDescriptorTo
DomainList
8/10/2019 Synapseindia Dot Net Development-Implementation
35/53
8/10/2019 Synapseindia Dot Net Development-Implementation
36/53
8/10/2019 Synapseindia Dot Net Development-Implementation
37/53
37
EEClass.FindMethod
ValidateMainMethod
CorCommandLine.GetArgvW
MethodDesc.Call MethodDesc.IsRemotingIntercepted
MethodDesc.CallDescr calls
MethodDesc.CallDescrWorker
CallDescrWorker calls Main()
8/10/2019 Synapseindia Dot Net Development-Implementation
38/53
38
.NET Application
Main() needs to be compiled
Main() calls PreStubWorker (mscorwks)
PreStubWorker Compiles all IL methods
CallsMethodDesc.DoPrestub
8/10/2019 Synapseindia Dot Net Development-Implementation
39/53
39
MethodDesc.DoPrestub
MethodDesc.GetSecurityFlags
MethodDesc.GetUnsafeAddrofCode
MethodDesc.GetILHeader
MethodDesc.GetRVA
COR_DECODE_METHOD
Decode tiny/fat format
Security._CanSkipVerification
8/10/2019 Synapseindia Dot Net Development-Implementation
40/53
40
MethodDesc.DoPrestub
EEConfig.ShouldJitMethod
MakeJitWorker
JITFunction
GetPrejittedCode
8/10/2019 Synapseindia Dot Net Development-Implementation
41/53
41
JITFunction
ExecutionManager::GetJitForType
EEJitManager::LoadJIT
Loads mscorjit.dll (in LoadJIT)
Calls getJit in mscorjit (in LoadJIT)
CallCompileMethodWithSEHWrapper
Debugger.JitBeginning
CILJit.compileMethod Debugger.JitComplete
8/10/2019 Synapseindia Dot Net Development-Implementation
42/53
8/10/2019 Synapseindia Dot Net Development-Implementation
43/53
43
Compiler.compCompile
Compiler.eeGetMethodClass
Compiler.eeGetClassAttribs
emitter.emitBegCG
Compiler.eeGetMethodAttribs
Compiler.comptInitDebuggingInfo
Compiler.genGenerateCode
emitter.emitEndCG
8/10/2019 Synapseindia Dot Net Development-Implementation
44/53
8/10/2019 Synapseindia Dot Net Development-Implementation
45/53
45
.NET Application
Show flowchart
8/10/2019 Synapseindia Dot Net Development-Implementation
46/53
46
.NET Hook
Reads through method table
Reads method
Parses header, code, EH data Hooks interest functions
Inserts hooked code at front of method
Stored at the end of the .text section
Updates PE and section headers
Changes function RVAs in Metadata
8/10/2019 Synapseindia Dot Net Development-Implementation
47/53
47
Method Definition (review)
RVA
Implementation flags
Method flags
Method name Offset into #Strings
Signature
Parameters
Offset into #Blob
Index into Param table (0x08)
Offset to method
8/10/2019 Synapseindia Dot Net Development-Implementation
48/53
48
Tiny Method Body
Header size = 1 byte
Used when:
Maximum stack size is less than 8 The method has no local variables
No extra data section
No exceptions
8/10/2019 Synapseindia Dot Net Development-Implementation
49/53
49
Tiny Method
Header (flags and code size)
Method body (IL)
8/10/2019 Synapseindia Dot Net Development-Implementation
50/53
50
Fat Method
Header size = 12 bytes
Flags
Header size
Max. stack size
Code size
Local var. signature Describes local variables
Method body (IL)
Extra data sections Currently only used for exceptions
8/10/2019 Synapseindia Dot Net Development-Implementation
51/53
51
Hooked Tiny Method
Header (flags and code size)
Hooking code (IL)
Method body (IL)
Updated
Inserted
8/10/2019 Synapseindia Dot Net Development-Implementation
52/53
8/10/2019 Synapseindia Dot Net Development-Implementation
53/53
53
Hooked Assembly
Metadata
Functions (IL)
Hooked Functions (IL)
Import Address Table End of old.text section
End of new
.text section
.text section
References both