Shen Shuographic: Short Stone

Shen Shuographic: Short Stone

Glory 2003

New technologies often use old technologies to "foot stone". This is true for .NET in COM.

If you have installed .NET Framework, there will be a mscoree.dll in the system directory (probably C: / Winnt / System32), which is Microsoft .NET runtime execution engine (.NET Runtime Execution Engine), its importance is not - "Sharpei" virus is to determine if the computer is installed .NET by looking for it .NET.

Let us observe that this DLL is exported to:

C: / Winnt / System32>

Dumpbin / exports mscoree.dll Dump of file mscoree.dll file type: dll section contacts the following exports for mscoree.dll 000000000 Characteristics 3c368fbe Time Date Stamp Sat Jan 05 13:31:

42 2002 0.00 version 17 ordinal base 100 number of functions 94 number of names ordinal hint RVA name 36 0 0001161E CallFunctionShim 21 1 000108E2 CloseCtrs 37 2 0000B998 ClrCreateManagedInstance 38 3 00011163 CoEEShutDownCOM 39 4 0000B7C7 CoInitializeCor 40 5 00010CA1 CoInitializeEE 24 6 00011372 CoLogCurrentStack 41 7 00010D41 CoUninitializeCor 42 8 00010CF3 CoUninitializeEE 25 9 000108D8 CollectCtrs 43 A 0000A8B0 CorBindToCurrentRuntime 44 B 000118A9 CorBindToRuntime 45 C 000108FF CorBindToRuntimeByCfg 46 D 0000FA0E CorBindToRuntimeByPath 47 E 00011826 CorBindToRuntimeEx 48 F 0000B9F9 CorBindToRuntimeHost 49 10 0000B25B CorExitProcess 50 11 00011320 CorMarkThreadInThreadPool 51 12 00008C2E CreateConfigStream 52 13 0000B2AB DllCanUnloadNow 53 14 00007F2A DLLGETCLASSOBJECT 54 15 00011678 DllregisterServer 55 16 00010Be9 DllunregisterServer 26 17 0000fa42 EEDLLGET ClassObjectFromClass 56 18 0001156A EEDllRegisterServer 57 19 000115C0 EEDllUnregisterServer 58 1A 000023AC GetAssemblyMDImport 59 1B 0000B2F4 GetCORRequiredVersion 60 1C 00002290 GetCORSystemDirectory 61 1D 000092A1 GetCORVersion 62 1E 0001111A GetCompileInfo 27 1F 00011513 GetGlobalContextsPerfCounters 63 20 00010054 GetHashFromAssemblyFile 64 21 000100BC GetHashFromAssemblyFileW 65 22 00010246 GetHashFromBlob 66 ​​23 00010125 GetHashFromFile 67 24 00010184 GetHashFromFileW 68 25 000101E5 GetHashFromHandle 69 26 0000B818 GetHostConfigurationFile 70 27 00010E6B GetMetaDataInternalInterface 71 28 00010DFB GetMetaDataInternalInterfaceFromPublic 72 29 00010D8A GetMetaDataPublicInterfaceFromI

nternal 73 2A 000110B0 GetPermissionRequests 28 2B 000114BA GetPrivateContextsPerfCounters 74 2C 0001099D GetRealProcAddress 29 2D 0000B7C1 GetStartupFlags 75 2E 000122CE GetXMLElement 76 2F 000122D6 GetXMLElementAttribute 77 30 00005BE8 GetXMLObject 78 31 0000B8CC LoadLibraryShim 79 32 00011848 LoadLibraryWithPolicyShim 30 33 000113C6 LogHelp_LogAssert 31 34 0001141A LogHelp_NoGuiOnAssert 32 35 0001146A LogHelp_TerminateOnAssert 80 36 00010C44 MetaDataGetDispenser 81 37 0000FB96 ND_CopyObjDst 82 38 0000FB6E ND_CopyObjSrc 83 39 0000B977 ND_RI2 84 3A 0000B988 ND_RI4 85 3B 0000FB18 ND_RI8 86 3C 0000B8A8 ND_RU1 87 3D 0000FB2C ND_WI2 88 3E 0000FB41 ND_WI4 89 3F 0000FB54 ND_WI8 90 40 0000B8B9 ND_WU1 33 41 0001077E OpenCtrs 34 42 0000FA4A ReleaseFusionInterfaces 91 43 000109de Rundll32Shimw 35 44 00011269 RuntimeimageType 92 45 000112C1 Runtimeoshandle 93 46 000111A8 RuntimeOpenImage 94 47 00011209 Runt imeReleaseHandle 95 48 0000FF3D StrongNameCompareAssemblies 96 49 0000B3C0 StrongNameErrorInfo 97 4A 0000220F StrongNameFreeBuffer 98 4B 0000FCC8 StrongNameGetPublicKey 99 4C 0000FFA0 StrongNameHashSize 100 4D 0000FC75 StrongNameKeyDelete 101 4E 0000FBBE StrongNameKeyGen 102 4F 0000FC19 StrongNameKeyInstall 103 50 0000FD2B StrongNameSignatureGeneration 104 51 0000FFF7 StrongNameSignatureSize 105 52 0000B35B StrongNameSignatureVerification 106 53 0000FE62 StrongNameSignatureVerificationEx 107 54 0000FECA StrongNameSignatureVerificationFromImage 108 55 0000FD96 StrongNameTokenFromAssembly 109 56 0000FDF8 StrongNameTokenFromAssemblyEx 110 57 00002175 StrongNameTokenFromPublicKey 111 58 0001104

1 TranslateSecurityAttributes 112 59 00002064 _CorDllMain 114 5A 0000B865 _CorExeMain 113 5B 000116EE _CorExeMain2 115 5C 0001077B _CorImageUnloading 116 5D 00011739 _CorValidateImage 17 00010ED5 [NONAME] 18 00010F0C [NONAME] 19 00010F4E [NONAME] 20 00010F84 [NONAME] 22 00010FB6 [NONAME] 23 00010FFD [ Noname] Summary 3000 .Data 2000 .reloc 1000 .RSRC 1A000 .Text

Do you notice those blue color words? The .NET runtime execution engine is a COM component.

Execute the following command to try, you can further confirm this fact:

Regsvr32 c: /winnt/system32/mscoree.dll

If you have been interested, explore some of the true .NET DLL's true face (I didn't suggest that they are all COM components).

Only in order to illustrate a simple truth, it is unlikely to list a big beach DUMP information. I also want to take an example of an example: learning from serious care.

"Be Careful".

-Finish-