.NET support to a packer

[Lostin]

Hi

 

I am wondering how to add .NET support to a native packer? because i tried using RLPack but the packed file failed to run with an error

 

Unable to find a version of the runtime to run this application

 

Is there something missed to be fixed before running the file like the Metadata or something.

[StoneHeart]

I would like to know this too.

Ive been searching the net for quite a long time now but no avail.

Currenlty i made a pe loader to load exe in memory.

Do the pe stuff like load import, fix relocation, patch peb etc.

It work on unmanage exe but manage exe like .NET exe produce runtime initalization error like mention above.

If pro's out there knows how to handle this problem, please enlighten us.

 

Thanks

[julio]

It's quite easy actually, this post from 2008 will get you started

 

http://www.codeproject.com/Articles/21888/A-Simple-Way-to-Pack-your-NET-Code-into-a-Single-E

[LordCoder]

@StoneHeart I'm making a .NET packer so that's why it does.

First: make the single executable grab it converted to Base64 (or any other encryption) to insert to the executable. (The executable is another project)

Second: run it the single exe convert it again to Byte() and open it as Assembly (for .NET only).

Third: invoke the main method of the application.

 

For all executables which aren't .NET you can do the 1º and 2º option but the 3º you replace it to extract the file to any folder and run it but this will show on the Task manager and can be detected easily. But for the .NET apps are on the same executable as the first project we made so all codes are the same.

 

An example of a packer is ExePack.NET.

 

I hope I can help you.

Edited July 3, 2013 by LordCoder

[StoneHeart]

@julio

 

Thanks for the link. Ive learn something which widen my knowladge.

 

@LordCoder

 

Thanks for  the info but nevermind, thanks to julio, my .Net loader works now.

[Lostin]

Hi again

 

Sorry for the bump didn't want to start a new thread again

 

I have read some article it says that i need to hook the Api's CreateFile/CreateFileMapping/MapViewOfFile

 

This is due to .NET being read file to access the meta data and such.

 

I tried it manually with ollydbg and redirected the mem allocated by MapViewOfFile to the original .NET exe and it worked on Framework 4 and some exes compiled with 2.0 framework i found on net.

 

however some exe's like i compiled with C# for Framework 2.0/3.0/3.5 they don't work instead they show an error (Send/don't send)

 

error comes from KERNELBASE.dll

 

is there any documentation how to safely pack .NET with a stable way?

Edited June 5, 2014 by Lostin

[kao]

Google for CorBindToRuntimeEx - that's a good place to start.

[Lostin]

Google for CorBindToRuntimeEx - that's a good place to start.

 

There is no need for this function while .NET is looking for the Framework version from itself.

Every native packer i have used doesn't use this function. Themida/Enigma/Safengine all use hooks to the 3 api's i mentioned earlier.

[Lostin]

After i debugged some themida packed apps i found out it redirect the calls to the CreateFile which it prevent it from reading itself and calls CreateFile with "NUL" as File name parameter instead. Is there any reason for that? i don't understand what is "NUL" and why it's needed.

0012F55C   004907C4  /CALL to CreateFileA from WindowsF.004907BE

0012F560   0048E10C  |FileName = "NUL"

0012F564   80000000  |Access = GENERIC_READ

0012F568   00000001  |ShareMode = FILE_SHARE_READ

0012F56C   00000000  |pSecurity = NULL

0012F570   00000003  |Mode = OPEN_EXISTING

0012F574   00000000  |Attributes = 0

0012F578   00000000  \hTemplateFile = NULL

Edited June 6, 2014 by Lostin