Hooking .net Jit Compiler

[Nuclear]

Hi all,

I'm looking to write a .NET protection mechanism that will decrypt/decode each function at runtime. This topic interests me and i need a new side project.

I recently found this article (hence the hooking JIT title), but being a bit new at this, I'm still not sure how to go about it.

http://www.codebreakers-journal.com/content/view/123/97/

Can anyone provide links, tutorials, tips, etc to help me along my way?

Thanks in advance.

Nuclear

[rendari]

I'm coding the same thing as you. Where are you stuck?

[Nuclear]

Hey rendari,

Thanks for replying. I'm kinda stuck at the beginning, I have a pretty good idea how i can encyrpt the MSIL and save it back to the assembly and update the assembly to call into my unmanaged code. However, I am unsure how i can hook JIT. From what i can gather from the link, I can

1) Call getJit() and hook the class or compileMethod

2) Hook the MethodDesc::GetILHeader() method

I would say 1 is probably easier so better for me, however, how do you go about hooking, is it the entire Jit class or just the compile method. Can you create a Jit class without the interface specification, will the vtable signatures match? Can you update a vtable to alter a single method?

[rendari]

Well I use method 1, with method 2 you will probably have compatibility problems in future versions of .NET. I also just hook the compileMethod() class, as it is the only one that accesses the jit. However, you might also want to be aware that just encrypting the entire IL and then decrypting it at compileMethod() won't work, because I believe that the IL headers are accessed from mscorwks.dll in a class called DecoderInit() (a part of the PreStubWorker) so far I have not found a way to hook DecoderInit(), so you should remember to leave the IL headers intact and unencrypted if you don't want any problems regarding that. Also remember that the jit compiler verifies whether the IL is in the address space of the exe module it is called from. If it is outside of the exe module's address space in memory, then a function called (I forget what its called, it was something like ILCheckRVA) will fail, and so the jit will fail to compile. So, whereever you decrypt the IL code must be in the address space of the exe's module.

Can you create a Jit class without the interface specification, will the vtable signatures match? Can you update a vtable to alter a single method?

There.... I have no idea

[Nuclear]

Rendari,

Thanks for your comments, I can see this getting very tricky. I think i'll just crack on and see what happens. Thanks again.

[Ufo-Pu55y]

I think i'll just crack on and see what happens.

Haha, I like the conclusion ! :laugh:

I'm still after running native code without any guarding DLLs... :/

[rendari]

I think i'll just crack on and see what happens.

Haha, I like the conclusion ! :laugh:

I'm still after running native code without any guarding DLLs... :/

Oh, that's easy. I use inline ASM and Marshal.GetDelegateForFunctionPointer

[Ufo-Pu55y]

Oh, that's easy. I use inline ASM and Marshal.GetDelegateForFunctionPointer

Huh ?? Damn, that's exactly what I was looking for since 2 days !

Thx a LOT (again) !!!!!

Now this will be fun... Marshal owns.

Edited January 20, 2008 by Ufo-Pu55y

[rendari]

Glad I could help

[Nuclear]

Back again :-),

Couple of points, in the link i specified above, how has the writer derived the class signature, ie class name, method names and function arguments, is there a tool for this or have they just analysed the dissassembly. Also, I found this Win32 API hook library, looks pretty neat, thought this may help someone. http://research.microsoft.com/sn/detours/

Thanks

-Nuclear

[rendari]

Couple of points, in the link i specified above, how has the writer derived the class signature, ie class name, method names and function arguments, is there a tool for this or have they just analysed the dissassembly.

Errr.... come again?

[Nuclear]

Rendari,

In the code breakers journal article i linked to in my original post, the author specifies:

.text:7906E7F4 private: virtual enum CorJitResult __stdcall

CILJit::compileMethod(class ICorJitInfo *,

struct CORINFO_METHOD_INFO *,

unsigned int,

unsigned char * *,

unsigned long *) proc near

The second parameter, a pointer to CORINFO_METHOD_INFO, is a structure as follows.

struct CORINFO_METHOD_INFO

{

CORINFO_METHOD_HANDLE ftn;

CORINFO_MODULE_HANDLE scope;

BYTE * ILCode;

unsigned ILCodeSize;

unsigned short maxStack;

unsigned short EHcount;

CorInfoOptions options;

CORINFO_SIG_INFO args;

CORINFO_SIG_INFO locals;

};

I am just wondering how he derived the class name, method and CORINFO_METHOD_INFO structure. Is there an application that will show this, or has he anylized the disassembly by hand/eye?

-Nuclear

[rendari]

... well why not just google it?

http://www.koders.com/cpp/fid6CEF5C98A9D76...4CE2A33CBD.aspx

http://www.koders.com/cpp/fid57F02E2F83B76...px?s=cdef%3Amd5

http://www.koders.com/cpp/fid38A23CF83A33B...THOD_INFO#L1038

Edited January 21, 2008 by rendari

[Nuclear]

Rendari,

Thanks, I had seen that, but misread it and thought it wasn't the same.

How are you replacing/redirecting the compileMethod, I can't seem to figure it out, not sure how to get the right address dword for the method.

[rendari]

;assuming that EDI = pointer to new compileMethod function7C90EB94 >  E8 E1FE76FC		  CALL mscorjit.getJit
7C90EB99	8B00				 MOV EAX,DWORD PTR DS:[EAX]
7C90EB9B	8938				 MOV DWORD PTR DS:[EAX],EDI

Remember to VirtualProtect it to RWE before trying to write new address...

Edited January 22, 2008 by rendari

[Nuclear]

Thank-you for your help Renadari

[rendari]

No problem. Any ideas on how to hook functions such as PreStubWorker in mscorwks.dll?

[Nuclear]

Rendari,

No ideas on hooking the PreStubWorker, your far ahead on hooking than i am. However, would it be possible to mislead it somehow by adding some valid IL before hand, then using the valid code size to offset to your encrypted code. This is what i was thinking of.

[rendari]

Hmm, no, I'm trying to hook PreStubWorker so that I can dynamically decrypt metadata tables as per access. Not possible to do with IL code I'm afraid =/

[bigmouse]

it's hard to dynamically decrypt metadata tables as per access whithout broken reflection features.

hook PreStubWorker will probably have compatibility problems in future versions of .NET or old versions of .Net.

as someone maybe still using a old version.

[rendari]

it's hard to dynamically decrypt metadata tables as per access whithout broken reflection features.

hook PreStubWorker will probably have compatibility problems in future versions of .NET or old versions of .Net.

as someone maybe still using a old version.

Too true, I gave up on it yesterday... well, do you have any ideas bigmouse? You seem to know your way around .NET the most

[bigmouse]

look into Cli_Secure , this would be a good start.

for more secure protection ,research into dnguard, seems to it does the best way.

i'm looking for samples of hvm, it's more interesting

[rendari]

Already unpacked Cli_Secure, am looking at DNGuard atm while improving my own protection. I just posted an unpackme of an early version. Check it out

[bigmouse]

that's simple.

here is the unpacked file

Download Link: http://www.filesend.net/download.php?f=cc3...a5647195d47473e