skylark Posted May 14, 2017 Posted May 14, 2017 Hello, how do you make a .net coded program self modify itself at run-time? I am not talking about making a loader program or something like that. Like, in native, you can make the program xor itself from and upto certain addresses at runtime, is it possible to do the same in .net? Then how? Now, about modifying IL codes. So far, I know about basic code injection in a method using mono.cecil library, but I can do it only in a non-running app. I intend to add some codes in sub_new () or entry point method to make the program add/remove/modify few IL code lines in a specific method. Like this, sub new() // get the certain method // add/remove IL code from line 6 end sub If anyone shows me a way to do this, I would be grateful.
CodeExplorer Posted May 14, 2017 Posted May 14, 2017 AssemblyLoadHoocker:http://www110.zippyshare.com/v/zLkfyCaL/file.html It will change entry point and inject MessageBox.Show, it will work only for Assembly.Load(byte[] bytearray). 1
skylark Posted May 14, 2017 Author Posted May 14, 2017 (edited) @CodeCracker Hello sir, thanks for replying, I haven't tried it yet, but does the messagebox stays there permanently? I mean, suppose my method was like this, Sub Where_the_hooker_inject's_the_messagebox() //do this //do that etc.. End Sub And after I make the injection, if I open my program in a decompiler, will I see code like this? Sub Where_the_hooker_inject's_the_messagebox() MessageBox.Show("some line") //do this //do that etc.. End Sub If I see code like this, then it's not what I am looking for. Like in native self-modifying apps, when I load a program in olly, it would show only junk codes, but maybe the the junk codes would turn into good codes once a line "mov byte ptr [04015647], 90" gets executed? Like this, when I normally open the program in reflector, I would like it to show just normal or deceiving codes in a method, but maybe when a certain method gets executed in that program, it would rewrite IL lines in that method. nb : sorry for replying without even trying that hooker program you gave, I just have some issues right now. Edited May 14, 2017 by skylark
CodeExplorer Posted May 14, 2017 Posted May 14, 2017 Oh! I've thinked that you want some non-permanent patches (my example was that - sort of loader). For permanent patches try DnlibEditor:https://forum.tuts4you.com/topic/36215-dnlibeditor/?do=findComment&comment=182358 a plugin for Reflector! Similarly functionality with Reflexil!
skylark Posted May 14, 2017 Author Posted May 14, 2017 Plugin for reflector? How is that supposed to help me "code" the program? Or I just have to decompile the plugin and learn its mechanism? I can do that, I guess. And one thing about the "permanent changes" I am not sure what you understood, I can already make permanent changes in IL codes through programming using cecil, I stated that ago. To do that, I have to load the program in my permanent hooker, inject codes, save it, then run the saved program. but I want to make my program inject those codes into "itself" while I run it, and since it doesn't get saved in hard disk, the changes could be found only in runtime, not in scantime. so that if I open it in reflector, I would never find the changes it had in itself at runtime. I am pretty screwed up right now to describe what I want, I am not sure if I could describe properly about my problem. for now I will try to study the plugin. Later, I will try to attach a program and try describing my intention more clearly.
Hayokuma Posted May 14, 2017 Posted May 14, 2017 (edited) https://www.codeproject.com/Articles/463508/NET-CLR-Injection-Modify-IL-Code-during-Run-time http://ntcore.com/files/netint_injection.htm Edited May 14, 2017 by Hayokuma 1
ITzNojd4r Posted May 14, 2017 Posted May 14, 2017 bro, if you can make it tell me on skype : nojdar.zawity
skylark Posted May 15, 2017 Author Posted May 15, 2017 22 hours ago, Hayokuma said: https://www.codeproject.com/Articles/463508/NET-CLR-Injection-Modify-IL-Code-during-Run-time http://ntcore.com/files/netint_injection.htm Thanks for the links though. but I already checked the first one. There are few things about it which I don't like actually. It needs to download pdb symbol file from microsoft to get the method's virtual address, you need active internet connection to make it work. Also, the use of the functions is a bit complicated.
Hayokuma Posted May 15, 2017 Posted May 15, 2017 (edited) This project should help you to understand how it could be done https://github.com/ubbelol/SJITHook Examples https://github.com/ubbelol/SJITHook/blob/master/SJITHook.Test/Program.cs Edited May 15, 2017 by Hayokuma 1
CodeExplorer Posted November 2, 2017 Posted November 2, 2017 Link of AssemblyLoadHoocker is dead. You can get source code of AssemblyLoadHoocker from:https://gitlab.com/CodeCracker/AssemblyLoadHoockerhttps://github.com/CodeCrackerSND/AssemblyLoadHoockerhttps://bitbucket.org/CodeCrackerSND/assemblyloadhoocker
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now