Jump to content
Tuts 4 You

Hooking .net Jit Compiler

Nuclear

By Nuclear
in Programming and Coding

Recommended Posts

Nuclear

Nuclear

Posted
Posted

Hi all,

I'm looking to write a .NET protection mechanism that will decrypt/decode each function at runtime. This topic interests me and i need a new side project.

I recently found this article (hence the hooking JIT title), but being a bit new at this, I'm still not sure how to go about it.

http://www.codebreakers-journal.com/content/view/123/97/

Can anyone provide links, tutorials, tips, etc to help me along my way?

Thanks in advance.

Nuclear

Link to comment
Nuclear

Nuclear

Posted
  • Author
Posted

Hey rendari,

Thanks for replying. I'm kinda stuck at the beginning, I have a pretty good idea how i can encyrpt the MSIL and save it back to the assembly and update the assembly to call into my unmanaged code. However, I am unsure how i can hook JIT. From what i can gather from the link, I can

1) Call getJit() and hook the class or compileMethod

2) Hook the MethodDesc::GetILHeader() method

I would say 1 is probably easier so better for me, however, how do you go about hooking, is it the entire Jit class or just the compile method. Can you create a Jit class without the interface specification, will the vtable signatures match? Can you update a vtable to alter a single method?

Link to comment
rendari

rendari

Posted
Posted

Well I use method 1, with method 2 you will probably have compatibility problems in future versions of .NET. I also just hook the compileMethod() class, as it is the only one that accesses the jit. However, you might also want to be aware that just encrypting the entire IL and then decrypting it at compileMethod() won't work, because I believe that the IL headers are accessed from mscorwks.dll in a class called DecoderInit() (a part of the PreStubWorker) so far I have not found a way to hook DecoderInit(), so you should remember to leave the IL headers intact and unencrypted if you don't want any problems regarding that. Also remember that the jit compiler verifies whether the IL is in the address space of the exe module it is called from. If it is outside of the exe module's address space in memory, then a function called (I forget what its called, it was something like ILCheckRVA) will fail, and so the jit will fail to compile. So, whereever you decrypt the IL code must be in the address space of the exe's module.

Can you create a Jit class without the interface specification, will the vtable signatures match? Can you update a vtable to alter a single method?

There.... I have no idea :(

Link to comment
Nuclear

Nuclear

Posted
  • Author
Posted

Rendari,

Thanks for your comments, I can see this getting very tricky. I think i'll just crack on and see what happens. Thanks again.

Link to comment
Ufo-Pu55y

Ufo-Pu55y

Posted
Posted
I think i'll just crack on and see what happens.
Haha, I like the conclusion ! :laugh:

I'm still after running native code without any guarding DLLs... :/

Link to comment
rendari

rendari

Posted
Posted
I think i'll just crack on and see what happens.
Haha, I like the conclusion ! :laugh:

I'm still after running native code without any guarding DLLs... :/

Oh, that's easy. I use inline ASM and Marshal.GetDelegateForFunctionPointer :)

Link to comment
Ufo-Pu55y

Ufo-Pu55y

Posted
Posted (edited)
Oh, that's easy. I use inline ASM and Marshal.GetDelegateForFunctionPointer :)
Huh ?? Damn, that's exactly what I was looking for since 2 days ! :ninja:

Thx a LOT (again) !!!!!

Now this will be fun... Marshal owns.

Edited by Ufo-Pu55y
Link to comment
Nuclear

Nuclear

Posted
  • Author
Posted

Back again :-),

Couple of points, in the link i specified above, how has the writer derived the class signature, ie class name, method names and function arguments, is there a tool for this or have they just analysed the dissassembly. Also, I found this Win32 API hook library, looks pretty neat, thought this may help someone. http://research.microsoft.com/sn/detours/

Thanks

-Nuclear

Link to comment
rendari

rendari

Posted
Posted
Couple of points, in the link i specified above, how has the writer derived the class signature, ie class name, method names and function arguments, is there a tool for this or have they just analysed the dissassembly.

Errr.... come again?

Link to comment
Nuclear

Nuclear

Posted
  • Author
Posted

Rendari,

In the code breakers journal article i linked to in my original post, the author specifies:

.text:7906E7F4 private: virtual enum CorJitResult __stdcall

CILJit::compileMethod(class ICorJitInfo *,

struct CORINFO_METHOD_INFO *,

unsigned int,

unsigned char * *,

unsigned long *) proc near

The second parameter, a pointer to CORINFO_METHOD_INFO, is a structure as follows.

struct CORINFO_METHOD_INFO

{

CORINFO_METHOD_HANDLE ftn;

CORINFO_MODULE_HANDLE scope;

BYTE * ILCode;

unsigned ILCodeSize;

unsigned short maxStack;

unsigned short EHcount;

CorInfoOptions options;

CORINFO_SIG_INFO args;

CORINFO_SIG_INFO locals;

};

I am just wondering how he derived the class name, method and CORINFO_METHOD_INFO structure. Is there an application that will show this, or has he anylized the disassembly by hand/eye?

-Nuclear

Link to comment
Nuclear

Nuclear

Posted
  • Author
Posted

Rendari,

Thanks, I had seen that, but misread it and thought it wasn't the same.

How are you replacing/redirecting the compileMethod, I can't seem to figure it out, not sure how to get the right address dword for the method.

Link to comment
rendari

rendari

Posted
Posted (edited) 
;assuming that EDI = pointer to new compileMethod function7C90EB94 >  E8 E1FE76FC		  CALL mscorjit.getJit
7C90EB99	8B00				 MOV EAX,DWORD PTR DS:[EAX]
7C90EB9B	8938				 MOV DWORD PTR DS:[EAX],EDI

:)

Remember to VirtualProtect it to RWE before trying to write new address...

Edited by rendari
Link to comment
Nuclear

Nuclear

Posted
  • Author
Posted

Rendari,

No ideas on hooking the PreStubWorker, your far ahead on hooking than i am. However, would it be possible to mislead it somehow by adding some valid IL before hand, then using the valid code size to offset to your encrypted code. This is what i was thinking of.

Link to comment
rendari

rendari

Posted
Posted

Hmm, no, I'm trying to hook PreStubWorker so that I can dynamically decrypt metadata tables as per access. Not possible to do with IL code I'm afraid =/

Link to comment
bigmouse

bigmouse

Posted
Posted

it's hard to dynamically decrypt metadata tables as per access whithout broken reflection features.

hook PreStubWorker will probably have compatibility problems in future versions of .NET or old versions of .Net.

as someone maybe still using a old version.

Link to comment
rendari

rendari

Posted
Posted
it's hard to dynamically decrypt metadata tables as per access whithout broken reflection features.

hook PreStubWorker will probably have compatibility problems in future versions of .NET or old versions of .Net.

as someone maybe still using a old version.

Too true, I gave up on it yesterday... well, do you have any ideas bigmouse? You seem to know your way around .NET the most :)

Link to comment
bigmouse

bigmouse

Posted
Posted

look into Cli_Secure , this would be a good start.

for more secure protection ,research into dnguard, seems to it does the best way.

i'm looking for samples of hvm, it's more interesting

Link to comment
rendari

rendari

Posted
Posted

Already unpacked Cli_Secure, am looking at DNGuard atm while improving my own protection. I just posted an unpackme of an early version. Check it out :)

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing
×
×
  • Create New...