As mentioned earlier in mscorwksProgramCompilation is based on functions. Mscorjit provides a function
Compilemethod. Mscorwks calls this function to compile the. NET method.
For the encrypted shell of the EE layer or virtual machine pre-processing layer, you only need to hook this function to dumpCode.
Note that this function is called by thiscall.
What is the process after the. NET method body enters compilemethod?
For more information, see the sscli 2.0Source code.
Compilemethod is actually just an interface function. It does not actually do anything,
Just call another function: jitnativecode.
The jitnativecode function is a thread-safe function, in which only some preparation work is actually done.
Install Exception Handling and instantiate a complier object. Initialize the complier class and then call
Compcompile is a member function of this class.
The actual compilation is started in compile.
If Hook JIT is used to implement shelling, we have three options:
Hook compilemethod (thiscall)
Hook jitnativecode (fastcall)
Hook compcompile (thiscall)
The three solutions are completely the same. In these three functions, we can obtain the struct required for shelling.
In fact, the structure required for shelling is corinfo_method_struct, corinfo_module_struct, and corinfo_method_info.
I used method 2 to hook the jitnativecode function when I took off a shell of my Personal Edition encryption program.
Hook method: Replace the method used, that is, directly modify the compilemethod function and change call jitnativecode to call myhook.
Handle shell removal in the myhook function, and then call jitnativecode.
Actually there is a trick. Generally, we use the reflection invoke to let a method body into the JIT processing process, and then intercept the dump method body in the myhook.
Assume that when we run an exit function in dump, if it is executed, the process will exit, because invoke will execute the method, and all we need is to let the method body enter
The JIT processing process uses the dump method instead of the execution method. Therefore, we can directly return a NOP address without calling back the jitnativecode function.
Maxtocode 2007 Enterprise Edition is called the shell of the virtual machine processing layer. What does it do on the virtual machine processing layer?
Analyzes the memory image of mscorjit. dll, which is similar to the JIT layer shelling,
Both solution 2 and solution 3 are used. Obviously, the purpose of hook JIT is not to shell, but to restore the method body.
We can easily determine that after the program runs into compile, The Runtime Library of the encrypted shell has completed all the decryption work,
Therefore, it is a good time to shell compile functions or lower-level functions.
If I modified the jithook program, I only changed the hook location, that is, the lower-level function of hook compile.
Then test dump. The effect is as follows:
You can dump the source code.
It seems that the Enterprise Edition is only a change in the hook location compared with the individual edition. For Shell removal, there is basically no difficulty,
We only need to change the hook location to dump.
In addition, we found a bug in the Enterprise Edition Runtime Library, which can be shelled in a simple way.