Implement automatic shelling of encrypted net assembly

The shelling test object is codelib 2 v14.9.2468.42911. The latest version is-10-5.

OfflineProgramGo to the following interface:

Select the second item in "Examples", "codelib.exe", select a save path, and click "dump" to complete shelling.
The shelling program is saved to codedump.exe.

Note that this file is directly shelled by dump and cannot be run directly.
Use ildasm to decompile and open the Il File
Find il_0000: Call void infacemaxtocode: startup ()
Replace with // il_0000: Call void infacemaxtocode: startup ()
Cancels the reference to the maxtocode Runtime Library.
Then run ilasm to compile it into an EXE file.
In the codelib installation directory, you can run it normally.

: Http://www.bbsftp.com/temp/codelib_dumped.rar
Register with codelibAlgorithmIf you are interested, you can download it back for research.
Note: first re-name the codelib.exe in the installation directory, and then decompress it to run it.
There is still a lot of anti in this program, but it is not important. You can directly modify Il to remove.

The shelling machine is not yet available for public use and is shared by the DRT team.
This time, I will briefly introduce the principle, and next time I will have the opportunity to introduce in detail how to implement the general memory Assembly dumper.
This dumper first dumps the PE file from the memory according to the principle of PE dumper.
Then add a read-only forging to the PE file. It is used to put the Il code dumped by dump.
Using the methods described in the previous posts, we can use the methodbody of the new features of NET 2.0,
Re-create the header, datatable, save the result to the new forging, and then modify the RVA of the corresponding method to point to the new header.

All the methods are processed in this way to complete dump.

This method is effective for both compressed and encrypted shells.