Jump to content
Tuts 4 You

Hooking .net Jit Compiler


Nuclear

Recommended Posts

Posted

Hi all,

I'm looking to write a .NET protection mechanism that will decrypt/decode each function at runtime. This topic interests me and i need a new side project.

I recently found this article (hence the hooking JIT title), but being a bit new at this, I'm still not sure how to go about it.

http://www.codebreakers-journal.com/content/view/123/97/

Can anyone provide links, tutorials, tips, etc to help me along my way?

Thanks in advance.

Nuclear

Posted

I'm coding the same thing as you. Where are you stuck? :)

Posted

Hey rendari,

Thanks for replying. I'm kinda stuck at the beginning, I have a pretty good idea how i can encyrpt the MSIL and save it back to the assembly and update the assembly to call into my unmanaged code. However, I am unsure how i can hook JIT. From what i can gather from the link, I can

1) Call getJit() and hook the class or compileMethod

2) Hook the MethodDesc::GetILHeader() method

I would say 1 is probably easier so better for me, however, how do you go about hooking, is it the entire Jit class or just the compile method. Can you create a Jit class without the interface specification, will the vtable signatures match? Can you update a vtable to alter a single method?

Posted

Well I use method 1, with method 2 you will probably have compatibility problems in future versions of .NET. I also just hook the compileMethod() class, as it is the only one that accesses the jit. However, you might also want to be aware that just encrypting the entire IL and then decrypting it at compileMethod() won't work, because I believe that the IL headers are accessed from mscorwks.dll in a class called DecoderInit() (a part of the PreStubWorker) so far I have not found a way to hook DecoderInit(), so you should remember to leave the IL headers intact and unencrypted if you don't want any problems regarding that. Also remember that the jit compiler verifies whether the IL is in the address space of the exe module it is called from. If it is outside of the exe module's address space in memory, then a function called (I forget what its called, it was something like ILCheckRVA) will fail, and so the jit will fail to compile. So, whereever you decrypt the IL code must be in the address space of the exe's module.

Can you create a Jit class without the interface specification, will the vtable signatures match? Can you update a vtable to alter a single method?

There.... I have no idea :(

Posted

Rendari,

Thanks for your comments, I can see this getting very tricky. I think i'll just crack on and see what happens. Thanks again.

Posted
I think i'll just crack on and see what happens.
Haha, I like the conclusion ! :laugh:

I'm still after running native code without any guarding DLLs... :/

Posted
I think i'll just crack on and see what happens.
Haha, I like the conclusion ! :laugh:

I'm still after running native code without any guarding DLLs... :/

Oh, that's easy. I use inline ASM and Marshal.GetDelegateForFunctionPointer :)

Posted (edited)
Oh, that's easy. I use inline ASM and Marshal.GetDelegateForFunctionPointer :)
Huh ?? Damn, that's exactly what I was looking for since 2 days ! :ninja:

Thx a LOT (again) !!!!!

Now this will be fun... Marshal owns.

Edited by Ufo-Pu55y
Posted

Back again :-),

Couple of points, in the link i specified above, how has the writer derived the class signature, ie class name, method names and function arguments, is there a tool for this or have they just analysed the dissassembly. Also, I found this Win32 API hook library, looks pretty neat, thought this may help someone. http://research.microsoft.com/sn/detours/

Thanks

-Nuclear

Posted
Couple of points, in the link i specified above, how has the writer derived the class signature, ie class name, method names and function arguments, is there a tool for this or have they just analysed the dissassembly.

Errr.... come again?

Posted

Rendari,

In the code breakers journal article i linked to in my original post, the author specifies:

.text:7906E7F4 private: virtual enum CorJitResult __stdcall

CILJit::compileMethod(class ICorJitInfo *,

struct CORINFO_METHOD_INFO *,

unsigned int,

unsigned char * *,

unsigned long *) proc near

The second parameter, a pointer to CORINFO_METHOD_INFO, is a structure as follows.

struct CORINFO_METHOD_INFO

{

CORINFO_METHOD_HANDLE ftn;

CORINFO_MODULE_HANDLE scope;

BYTE * ILCode;

unsigned ILCodeSize;

unsigned short maxStack;

unsigned short EHcount;

CorInfoOptions options;

CORINFO_SIG_INFO args;

CORINFO_SIG_INFO locals;

};

I am just wondering how he derived the class name, method and CORINFO_METHOD_INFO structure. Is there an application that will show this, or has he anylized the disassembly by hand/eye?

-Nuclear

Posted

Rendari,

Thanks, I had seen that, but misread it and thought it wasn't the same.

How are you replacing/redirecting the compileMethod, I can't seem to figure it out, not sure how to get the right address dword for the method.

Posted (edited)
;assuming that EDI = pointer to new compileMethod function7C90EB94 >  E8 E1FE76FC		  CALL mscorjit.getJit
7C90EB99 8B00 MOV EAX,DWORD PTR DS:[EAX]
7C90EB9B 8938 MOV DWORD PTR DS:[EAX],EDI

:)

Remember to VirtualProtect it to RWE before trying to write new address...

Edited by rendari
Posted

Thank-you for your help Renadari

Posted

No problem. Any ideas on how to hook functions such as PreStubWorker in mscorwks.dll?

Posted

Rendari,

No ideas on hooking the PreStubWorker, your far ahead on hooking than i am. However, would it be possible to mislead it somehow by adding some valid IL before hand, then using the valid code size to offset to your encrypted code. This is what i was thinking of.

Posted

Hmm, no, I'm trying to hook PreStubWorker so that I can dynamically decrypt metadata tables as per access. Not possible to do with IL code I'm afraid =/

Posted

it's hard to dynamically decrypt metadata tables as per access whithout broken reflection features.

hook PreStubWorker will probably have compatibility problems in future versions of .NET or old versions of .Net.

as someone maybe still using a old version.

Posted
it's hard to dynamically decrypt metadata tables as per access whithout broken reflection features.

hook PreStubWorker will probably have compatibility problems in future versions of .NET or old versions of .Net.

as someone maybe still using a old version.

Too true, I gave up on it yesterday... well, do you have any ideas bigmouse? You seem to know your way around .NET the most :)

Posted

look into Cli_Secure , this would be a good start.

for more secure protection ,research into dnguard, seems to it does the best way.

i'm looking for samples of hvm, it's more interesting

Posted

Already unpacked Cli_Secure, am looking at DNGuard atm while improving my own protection. I just posted an unpackme of an early version. Check it out :)

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...