.NET Framework Rootkits

Posted: November 14, 2008 in Other Tutorials

This page covers a new method that enables an attacker to change the .NET language, and to hide malicious code inside its core.


This paper introduces a new method that enables an attacker to change the .NET

The paper covers various ways to develop rootkits for the .NET framework, so that
every EXE/DLL that runs on a modified Framework will behave differently than what
it’s supposed to do. Code reviews will not detect backdoors installed inside the
Framework since the payload is not in the code itself, but rather it is inside the
Framework implementation. Writing Framework rootkits will enable the attacker to
install a reverse shell inside the framework, to steal valuable information, to fixate
encryption keys, disable security checks and to perform other nasty things as
described in this paper.

This paper also introduces “.Net-Sploit” – a new tool for building MSIL rootkits that
will enable the user to inject preloaded/custom payload to the Framework core DLL.


Download full paper here:



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.