. Net encryption principle, pure ee-layer encryption shell kernel Implementation (2)

In the previous. Net encryption principle, the implementation of the method body's encrypted information ing describes the basic problems to achieve the encryption shell,
This article introduces how to implement an encrypted shell kernel of the pure EE layer (mscorwks. dll) in the first implementation mode.

First, make sure that "method body encryption information" is saved directly through metadata.
Here we use the simplest record method-record a four-byte pointer information.
In addition, we add an identifier data, which is represented by a magic DWORD.
In this way, the record information is 8 bytes in total. Therefore, Methods smaller than 8 bytes cannot be encrypted.

The next step is the implementation of the core of the encrypted shell Runtime Library. The following uses the early running database implementation of dnguard V1.0 as an example.

In mscorwks. dll, there is a function getilheader. All the places in the framework that need to retrieve the method body are implemented by calling this function.
The prototype of this function is cor_ilmethod * _ fastcall getilheader (dword_ptr runtimemethodhandler );
You can look at the DWORD * _ fastcall getilheader (dword_ptr methodptr );

Implement this function in our encrypted shell Runtime Library, and then replace this function in mscorwks. dll with the function implemented by the Runtime Library,
This process is a standard API hook process, which is not detailed here.

In this way, when the. NET Framework needs to retrieve the method body, it will enter the function of our Runtime Library.

In the function of the running database, for example, DWORD * _ fastcall dnguard_getilheader (dword_ptr methodptr.
First, call the original getilheader to obtain the returned value,
First, determine whether the first four bytes of the returned value are magic DWORD,
(Because we record the ing relationship in the metadata, we can skip the process of querying the virtual table by ourselves. The framework has already completed it for us .)
If not, return directly.
If yes, decrypt the method body based on the data executed in the following four bytes, and then return the decryption result.

DWORD * _ fastcall dnguard_getilheader (dword_ptr methodptr)
{
DWORD * Pil = orggetilheader (methodptr );
If (* Pil = gdwmagic)
{
PIL = decryptmethod (PIL [1]);
}
Return PIL;
}

The core runtime of such an EE-layer encryption shell is complete.

This method has good compatibility and does not destroy any of the original functions of DOTNET. Naturally, it includes the reflection function.
In. NET 2.0, this encrypted shell Runtime Library will have a reflection vulnerability.

Next we will introduce this core improvement-for reflection vulnerabilities.