Core code of. Net reflection shelling machine

Source: Internet
Author: User

This article focuses on the core of the. NET reflection shelling machine.Source codeArticleCodeDetailed introduction to the principles and usage.

First, we will introduce the main code process:
Entry Function
Void dumpassembly (Assembly ass, string path)
Enumerate all types, call
Void dumptype (type TP, binarywriter SW)
Enumerate all methods and call
Void dumpmethod (methodbase MB, binarywriter SW)
Methodbody mbd = Mb. getmethodbody ();
If (mbd = NULL)
Setoffset (SW, MB. metadatatoken );

Writeheader (SW, mbd );

Writeilcode (SW, mbd );

Writeseh (SW, mbd );


For dumpassemblyArticleIt has already been introduced, so we will not repeat it here. This section describes dumpmethod and functions directly or indirectly called by dumpmethod.

In my previous article, "net memory"ProgramThe method body consists of three parts: Method header + IL bytecode + seh table.

Let's take a look at the dumpmethod code. First, get methodbody. Note that not all methods have methodbody. For example, if pinvoke calls an API, there is no methodbody. In metadata, the RVA is equal to 0, that is, there is no methodbody method. In C #, we can determine whether the returned value is null.
Call setoffset after obtaining the method body. This function is used to set the offset of the current method body in the file. After setting the offset, I can directly write the three parts of the method body to the file.

Setoffset function, use the metadata to find the rva of the method body, and then
Int offsetra = (INT) (offsetrva-0x1000 );
Calculate the offset in the file. Note that 0x1000 is hard-coded. You may need to adjust this value or automatically calculate this value based on the section of the PE.

In the writeheader function, call istiny to determine whether the current method body is tiny, and then refactor the corresponding method header and write it into the file.

The writeilcode function is very simple, that is, writing the Il bytecode directly to the file. At the end of this function, the 4-byte alignment problem is handled. The starting position of the seh table must be 4-byte alignment.

Finally, call writeseh (SW, mbd) to reconstruct the seh table and write the file to complete the dump of a cube.

In the writeseh function, first determine whether the current Exception Handling structure is included. If not, the system returns the result directly.
Then, judge whether the seh table is tiny or fat.
Then, reconstruct the seh table in the corresponding format.

Seh table is composed of two parts: sehheader + sehrows.
Among them, whether tiny or fat Seh, its sehheader occupies 4 bytes of space.
It is relatively easy to refactor seh according to CLI standards. One of the troubles is that the catch exception class in the catch clause is the token value in the current Assembly.
We can directly obtain the type object of this exception class in C #, but the value obtained through the type token Oken is its token value in its defined assembly, that is, it is a typedef value. If it is defined in the current set, it can be directly used. If not, parse its typeref token value. This is implemented by the int gettypetoken (type TP) function.

Note that gettypetoken uses if (Tp. Assembly = assembly. getentryassembly ())
To determine whether the same assembly is used, because it is assumed that the current dump is entryassembly. You may need to modify it according to the actual situation.

To find out the principle of typeref value, first obtain the complete name of the exception class through the type object, then enumerate all referenced types through metadata, and compare them by name. The name is the same.

How can I use this class to implement the reflection shelling machine?
First, you need to modify the dumpassembly function to public.
Then instantiate this class and call the dumpassembly function.
The first parameter is the Assembly object you want to dump, and the second parameter is the storage path after the Assembly dump. Note that the second parameter does not implement the PE dumper function. You need to first use PE dumper to dump the assembly to the disk, and then pass this path as a parameter.

Anyone who has tried to directly use PE dump should be aware that the method body is empty and the functions implemented by this class are directly dumped from the entire dump in the memory, is the content of the method body.

In addition, this class needs to be transformed.
1. setoffset function.
2. gettypetoken function.

In addition, the wrapperclass used in this class is actually. . Net Metadata API packaging class. For Metadata API, refer to msdn.




Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.