. Net tools-Introduction to common DOTNET encryption and protection tools

This article mainly introduces the principles of some DOTNET encryption and protection tools and briefly discusses their shelling. Remotesoft protector, maxtocode,. Net reactor, cliprotector, themida. net, xenocode native compiler, dnguard.

Remotesoft Protector

It should be an old one. . Net encryption protection tool. It seems that its official website has been updated in. The software does not provide a trial version for download, and there is little relevant information. I was contacted last year

. Net protected by the softwareProgram. The encrypted program must contain native DLL when it is released.
This shell can be regarded as the JIT-layer shell. It is in the JIT wrap mode and intercepts JIT requests through the hook getjit function. In each JIT request, the Runtime Library completely encrypts the Assembly

"In-situ" decryption and restoration.

Features: Overall decryption
Shelling: intercepts the JIT request of the formation and then interrupts the request. In this case, the Assembly has been completely decrypted, And the PE dump can be used directly.

Maxtocode

You should be familiar with this. It should be the same as remotesoft protector. Its 1.x, 2.x, 3.1x and 3.2 kernels are quite different.
Features: Single-method body decryption

Maxtocode 1.x has never been used, but the Bodhi In the DST group once wrote the shell host of maxtocode 1.x.

Maxtocdoe 2.x its kernel is the EE layer, and the single-method body is "in-situ" for decryption. After compilation, erase the decryptedCode.

Shelling: The method code cannot escape the profile because it is "in-situ" decryption. You can record each method body in the profile and fill it in the file.
Method 2: NOP calls its kernel Erasure code. You do not need to modify the kernel file. You only need to restore mscorwks. The second part of the hook in the DLL. After the method is decrypted

In memory. On the invoke side of all methods, run PE dump directly.

Maxtocode 3.1x has many contacts with this version. The first maxtocode version that I have come into contact with IS 3.10. This version has a relatively large kernel Variation compared with 2.x. The method body is no longer the same

Decrypted, that is, the profile can no longer monitor its il code. This is a huge improvement. The 3.1x kernel is basically the same, but the later version is used for reflection.

Some minor actions.

Shelling: direct reflection, post-repair reflection.
Method 2: directly call the decryption function of the kernel for shelling, which is simple and fast.

Maxtocode 2007 Enterprise Edition, jit-layer kernel, which has multiple hooks installed on the EE and JIT layers. Its kernel is in frontArticleThis section provides details.

Shelling: due to its jit-layer Kernel Vulnerability, the method body can be restored in a simple way. After hook JIT, you can simply restore the method body to complete shelling of a single method.
Remove each method and enter it back to the file.

. Net Reactor

A special one. . Net encryption shell. It has two modes: Application and library.
The first mode is. Net program, and then create a native loader. It is easy to shell the whole encryption, just dump the memory.

In the second mode, the encrypted Assembly must also contain a native DLL. Like maxtocode, many static constructor are added, a startup function.
However, after the startup function is called, all the in-situ decryption of the Assembly is completed. Therefore, you can directly dump the memory after running.

Shelling: Direct PE dump.

Cliprotector

A jit-layer encryption shell, probably found at the end of last year. At that time, I was developing dnguard2.0. After analysis, I found that the kernel mode was very similar to the JIT-layer kernel of dnguard 2.0 at that time. Shortly after the analysis, we found a vulnerability in kernel processing at the JIT layer, which can be restored in a simple way. That is the one recently found in maxtocode 2007 Enterprise Edition. This vulnerability was prevented in my dnguard 2.0.

I personally feel that its mode compatibility is better than maxtocode 2007 Enterprise Edition. It's a pity that besides the JIT layer vulnerability, the Il code is not encrypted, just like my dnguard 1.0 demo, but I moved the Il to a location without encryption. However, it doesn't matter whether encryption is enabled for JIT layer shelling. However, this may cause the attacker to shell from another angle.

Features: Single-method body decryption
Shelling: JIT hook, simple restore method, same as the shelling method of maxtocode2007 Enterprise Edition.
Method 2: analyze the structure of the encrypted file and restore it directly (because its il code is not encrypted, you do not need to consider decryptionAlgorithm).

Themida. net

Themida is a strong Win32 shell, which supports. Net encryption, the encryption method is the overall encryption, but with its Win32 anti advantage, compared with other overall encryption tools, the intensity is higher, but that is only a little.

Shelling: Anti, PE dump.

Xenocode native compiler

Xenocode specializes in obfuscation protection, but it also provides a so-called function for generating local code. The local code is actually to package the Assembly and create an native loader. However, the framework is packaged in the package. That is to say, the packaged program can run directly on a machine without the framework installed. The cost is that the size of the generated file is very large, because it includes dozens of MB of framework packages.

Shelling: Direct PE dump.
Method 2: analyze the format of the packaged file and unpack it directly (existing tools ).

Dnguard

Dnguard 1.0 kernel mode is the same as maxtocode 3.1x. The shelling method is also the same.

Dnguard 2.0 JIT layer kernel, same as maxtocode 2007 Enterprise Edition and cliprotector. Compared with a vulnerability, the method body cannot be restored in a simple way.

If the attacker is very familiar with JIT kernel work, he can also reconstruct the method body from the structure of the JIT layer.

Shelling: JIT hook structure reconstruction mode.

Summary:
In addition to maxtocode 3.x, dnguard, and cliprotector, all programs encrypted by other tools have the Profile Vulnerability. You can obtain the Code through the profile.

The overall compatibility and strength of cliprotector and maxtocode 2007 Enterprise Edition are better.
Dnguard 2.0 is more powerful and has poor compatibility. It only supports v2.0.50727.42 framework.

The new version of dnguard is now compatible with all the frameworks.

All the tool-encrypted assembly above can directly intercept the Il bytecode In the JIT layer. The IL bytecode is not a method body, but a part of the method body. Obtaining only the Il bytecode cannot complete shelling, but the code can be compiled for msil for algorithm analysis.

The goal of dnguard hvm is to prevent the JIT layer from intercepting the Il bytecode that can be analyzed.