Implementation principle of. net jit layer shelling machine

This article will focus on the. NET reflection shelling machine Source code Based on the introduction, how to implement the JIT layer shelling machine.

First, we chose to use C ++/CLI to complete this job. Reflection is required. Net. The jit-layer hook must use native C ++ functions.
In this article, we assume that you have completed the hook JIT and intercepted the relevant struct.

First introduceCodeMain process:
Entry Functions
Void dumpassembly (Assembly ass, string path)
Enumerate all types, call
Void dumptype (type TP, binarywriter SW)
All methods are enumerated and called.
Void dumpmethod (methodbase MB, binarywriter SW)

The difference from the reflection shelling machine is that the dumpmethod function is basically the same in the end.

Let's first look at the implementation of reflection shelling:
Void dumpmethod (methodbase MB, binarywriter SW)
{
Methodbody mbd = Mb. getmethodbody ();
If (mbd = NULL)
Return;
Setoffset (SW, MB. metadatatoken );

Writeheader (SW, mbd );

Writeilcode (SW, mbd );

Writeseh (SW, mbd );

}
As can be seen from the above, dump a method needs to know four things, Token, method header, ilcode, Seh.

How can this problem be achieved when the JIT layer is shelled?
The dumpmethod function only requires the invoke method to enter the JIT processing process.
Note the following:
The method is private and cannot be accessed from outside. What should I do?

Here I need to use another new feature of NET 2.0: dynamicmethod.
See the Introduction of msdn:
"You can use the dynamicmethod class to generate and execute methods at runtime without generating dynamicProgramSet and dynamic type to include this method. Dynamic methods are the most effective way to generate and execute a small amount of code.

A dynamic method is logically associated with a module or type. If associated with a module, the dynamic method is effective for the module globally. If you have sufficient permissions, the dynamic method can skip the real-time (JIT) Visibility check to access private data declared in this module. You can associate dynamic methods with any module, whether or not the module is created by you.

If the dynamic method is associated with the type, the dynamic method can access private members of the type. Unless the dynamic method needs to access other types of private data declared in the same module, the JIT visibility check does not need to be skipped. Dynamic methods can be associated with any type.
"
The dynamic method can skip the JIT visibility check. This is what we are most concerned about. It solves the private method problem.

Compared with reflection shelling, the real dumpmethod of JIT-layer shelling should be in the hook handler function.
That is, after a JIT request is hooked, the real dumpmethod implementation is called back to complete the shelling of a method body.

Q: How do I know which method is processed by JIT?

"

Methodbase. getmethodfromhandle (runtimemethodhandle)

Obtain method information by using the internal metadata representation (handle) of the method.

"
This function can solve this problem.
The input parameter is the pointer variable of methoddesc * We intercepted in the JIT hook. This struct has no explicit information in sscli. But it can be converted. Method object in. net.

In this way, the four things required by the dump method body mentioned above are known here: token and ilcode (obtained directly by JIT hook ).

For tiny method. The method body can also be reconstructed. I have introduced reflection refactoring in detail in my post.

What if it is a fat method?
There are two difficulties:
1. The token of localsig in the method header. 2. Seh reconstruction.
Restructuring from the JIT hook to the struct may take a long time, which may be related to the implementation of the shell.
Some encryption shells can be obtained through speculation. (Because a shell in China is also affected, this method is not publicly available until the new version is improved)

The encryption shell of the JIT layer can increase the difficulty of shelling from these two points.

The dnguard Standard Edition authorizes the two parts.
The Standard Edition is expected to be completed within one week. The demo version of RC1 has been basically completed and will be released in the last two days.

Dnguard Professional Edition, in addition to the processing of these two, the ilcode is also processed, after the release of the Standard Edition,
It takes another time to perform a comprehensive test on the Pro edition il simulation part.