Nuclear Posted January 18, 2008 Posted January 18, 2008 Hi all,I'm looking to write a .NET protection mechanism that will decrypt/decode each function at runtime. This topic interests me and i need a new side project.I recently found this article (hence the hooking JIT title), but being a bit new at this, I'm still not sure how to go about it.http://www.codebreakers-journal.com/content/view/123/97/Can anyone provide links, tutorials, tips, etc to help me along my way?Thanks in advance.Nuclear
rendari Posted January 18, 2008 Posted January 18, 2008 I'm coding the same thing as you. Where are you stuck?
Nuclear Posted January 19, 2008 Author Posted January 19, 2008 Hey rendari,Thanks for replying. I'm kinda stuck at the beginning, I have a pretty good idea how i can encyrpt the MSIL and save it back to the assembly and update the assembly to call into my unmanaged code. However, I am unsure how i can hook JIT. From what i can gather from the link, I can1) Call getJit() and hook the class or compileMethod2) Hook the MethodDesc::GetILHeader() methodI would say 1 is probably easier so better for me, however, how do you go about hooking, is it the entire Jit class or just the compile method. Can you create a Jit class without the interface specification, will the vtable signatures match? Can you update a vtable to alter a single method?
rendari Posted January 19, 2008 Posted January 19, 2008 Well I use method 1, with method 2 you will probably have compatibility problems in future versions of .NET. I also just hook the compileMethod() class, as it is the only one that accesses the jit. However, you might also want to be aware that just encrypting the entire IL and then decrypting it at compileMethod() won't work, because I believe that the IL headers are accessed from mscorwks.dll in a class called DecoderInit() (a part of the PreStubWorker) so far I have not found a way to hook DecoderInit(), so you should remember to leave the IL headers intact and unencrypted if you don't want any problems regarding that. Also remember that the jit compiler verifies whether the IL is in the address space of the exe module it is called from. If it is outside of the exe module's address space in memory, then a function called (I forget what its called, it was something like ILCheckRVA) will fail, and so the jit will fail to compile. So, whereever you decrypt the IL code must be in the address space of the exe's module. Can you create a Jit class without the interface specification, will the vtable signatures match? Can you update a vtable to alter a single method? There.... I have no idea
Nuclear Posted January 20, 2008 Author Posted January 20, 2008 Rendari, Thanks for your comments, I can see this getting very tricky. I think i'll just crack on and see what happens. Thanks again.
Ufo-Pu55y Posted January 20, 2008 Posted January 20, 2008 I think i'll just crack on and see what happens.Haha, I like the conclusion ! :laugh: I'm still after running native code without any guarding DLLs... :/
rendari Posted January 20, 2008 Posted January 20, 2008 I think i'll just crack on and see what happens.Haha, I like the conclusion ! :laugh: I'm still after running native code without any guarding DLLs... :/ Oh, that's easy. I use inline ASM and Marshal.GetDelegateForFunctionPointer
Ufo-Pu55y Posted January 20, 2008 Posted January 20, 2008 (edited) Oh, that's easy. I use inline ASM and Marshal.GetDelegateForFunctionPointer Huh ?? Damn, that's exactly what I was looking for since 2 days ! Thx a LOT (again) !!!!! Now this will be fun... Marshal owns. Edited January 20, 2008 by Ufo-Pu55y
Nuclear Posted January 21, 2008 Author Posted January 21, 2008 Back again :-),Couple of points, in the link i specified above, how has the writer derived the class signature, ie class name, method names and function arguments, is there a tool for this or have they just analysed the dissassembly. Also, I found this Win32 API hook library, looks pretty neat, thought this may help someone. http://research.microsoft.com/sn/detours/Thanks-Nuclear
rendari Posted January 21, 2008 Posted January 21, 2008 Couple of points, in the link i specified above, how has the writer derived the class signature, ie class name, method names and function arguments, is there a tool for this or have they just analysed the dissassembly.Errr.... come again?
Nuclear Posted January 21, 2008 Author Posted January 21, 2008 Rendari,In the code breakers journal article i linked to in my original post, the author specifies:.text:7906E7F4 private: virtual enum CorJitResult __stdcallCILJit::compileMethod(class ICorJitInfo *,struct CORINFO_METHOD_INFO *,unsigned int,unsigned char * *,unsigned long *) proc nearThe second parameter, a pointer to CORINFO_METHOD_INFO, is a structure as follows.struct CORINFO_METHOD_INFO{CORINFO_METHOD_HANDLE ftn;CORINFO_MODULE_HANDLE scope;BYTE * ILCode;unsigned ILCodeSize;unsigned short maxStack;unsigned short EHcount;CorInfoOptions options;CORINFO_SIG_INFO args;CORINFO_SIG_INFO locals;}; I am just wondering how he derived the class name, method and CORINFO_METHOD_INFO structure. Is there an application that will show this, or has he anylized the disassembly by hand/eye?-Nuclear
rendari Posted January 21, 2008 Posted January 21, 2008 (edited) ... well why not just google it? http://www.koders.com/cpp/fid6CEF5C98A9D76...4CE2A33CBD.aspxhttp://www.koders.com/cpp/fid57F02E2F83B76...px?s=cdef%3Amd5http://www.koders.com/cpp/fid38A23CF83A33B...THOD_INFO#L1038 Edited January 21, 2008 by rendari
Nuclear Posted January 22, 2008 Author Posted January 22, 2008 Rendari,Thanks, I had seen that, but misread it and thought it wasn't the same.How are you replacing/redirecting the compileMethod, I can't seem to figure it out, not sure how to get the right address dword for the method.
rendari Posted January 22, 2008 Posted January 22, 2008 (edited) ;assuming that EDI = pointer to new compileMethod function7C90EB94 > E8 E1FE76FC CALL mscorjit.getJit7C90EB99 8B00 MOV EAX,DWORD PTR DS:[EAX]7C90EB9B 8938 MOV DWORD PTR DS:[EAX],EDI Remember to VirtualProtect it to RWE before trying to write new address... Edited January 22, 2008 by rendari
rendari Posted January 23, 2008 Posted January 23, 2008 No problem. Any ideas on how to hook functions such as PreStubWorker in mscorwks.dll?
Nuclear Posted January 24, 2008 Author Posted January 24, 2008 Rendari,No ideas on hooking the PreStubWorker, your far ahead on hooking than i am. However, would it be possible to mislead it somehow by adding some valid IL before hand, then using the valid code size to offset to your encrypted code. This is what i was thinking of.
rendari Posted January 24, 2008 Posted January 24, 2008 Hmm, no, I'm trying to hook PreStubWorker so that I can dynamically decrypt metadata tables as per access. Not possible to do with IL code I'm afraid =/
bigmouse Posted January 25, 2008 Posted January 25, 2008 it's hard to dynamically decrypt metadata tables as per access whithout broken reflection features.hook PreStubWorker will probably have compatibility problems in future versions of .NET or old versions of .Net.as someone maybe still using a old version.
rendari Posted January 25, 2008 Posted January 25, 2008 it's hard to dynamically decrypt metadata tables as per access whithout broken reflection features.hook PreStubWorker will probably have compatibility problems in future versions of .NET or old versions of .Net. as someone maybe still using a old version. Too true, I gave up on it yesterday... well, do you have any ideas bigmouse? You seem to know your way around .NET the most
bigmouse Posted January 26, 2008 Posted January 26, 2008 look into Cli_Secure , this would be a good start.for more secure protection ,research into dnguard, seems to it does the best way.i'm looking for samples of hvm, it's more interesting
rendari Posted January 26, 2008 Posted January 26, 2008 Already unpacked Cli_Secure, am looking at DNGuard atm while improving my own protection. I just posted an unpackme of an early version. Check it out
bigmouse Posted January 27, 2008 Posted January 27, 2008 that's simple.here is the unpacked fileDownload Link: http://www.filesend.net/download.php?f=cc3...a5647195d47473e
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now