Exetools

Exetools (https://forum.exetools.com/index.php)
-   Source Code (https://forum.exetools.com/forumdisplay.php?f=46)
-   -   Dump .net Assembly from c++ Loaders (https://forum.exetools.com/showthread.php?t=20083)

0xall0c 02-16-2022 17:54
Dump .net Assembly from c++ Loaders
 
Simple program to dump .net assembly,

uses hooking instead of a debugger

https://github.com/0x410c/ClrDumper

iNomex 04-06-2022 00:44
This seems really interesting, so it might work on x22 Loader as example? Have no Subscription to test it yet.

0xall0c 04-14-2022 16:54
i dont know about x22 loader, but to just give it clarity, the tool hooks a function SafeArrayUnaccessData which is called after the assembly bytes are placed in the buffer to load, with this function hooked the paramater to this function points to an array of byes of assembly, which then are written to disk by the tool.

Can be used to dump assemblies from a native loader, or in case from .net crypters, obfuscators etc. because there is no debugger or anything else, it basically just works with complex samples too.

0xall0c 05-24-2022 19:07
new release, now u can dump assemblies loaded from Assembly.Load(byte[]), from managed assemblies! :D

Ethereal 06-09-2022 19:05
Quote:
Originally Posted by 0xall0c (Post 125148)
i dont know about x22 loader, but to just give it clarity, the tool hooks a function SafeArrayUnaccessData which is called after the assembly bytes are placed in the buffer to load, with this function hooked the paramater to this function points to an array of byes of assembly, which then are written to disk by the tool.

Can be used to dump assemblies from a native loader, or in case from .net crypters, obfuscators etc. because there is no debugger or anything else, it basically just works with complex samples too.
Doing that way should be really effective against obfuscators and packers. Have you had any chance to try it against VM obfuscators like Agile.NET or EAZfuscator?

Excellent work btw. Thank you.

0xall0c 06-14-2022 00:42
i have tried it with a sample of confuserex i guess, not sure if it was confuserEx,didnt test against anything else, if you could provide samples, may be i can test

0xall0c 06-14-2022 17:33
I am thinking to add dumping of jscript,vbscript from processes, so it will be able to dump vba code for example from office applicaiton, anyone thinks it will be usefull?

DARKER 06-14-2022 20:51
Yes, i think it can be useful. Can you specify what kind of data output format will have dumps? :) (already compiled binary or pure vbscript ...)

0xall0c 06-15-2022 00:09
pure vbscript or jscript, also im thinking of a monitor mode, which will decrypt and dump diffrent layers of the script, something like when the code decrypts and evals it!

DARKER 06-15-2022 04:17
exactly, about that i was thinking ... maybe add some powershell stuff?

0xall0c 06-15-2022 14:26
powershell stuff can you elaborate? like dumping if a process create a powershell process and tries to execute powershell script?

DARKER 06-15-2022 15:31
Create a powershell process is not a problem, maybe some "EVAL" stuff if it's even possible. But i don't know if its "compiled" in one shot or its divided in multiple "evaluation batches" in whole execution process (this can be also based on multiple eval techniques)

In past i have one ps that has 3 layers of "eval" obfuscations.

0xall0c 06-15-2022 17:48
ohh got the idea, sure i can add that too after vbscript and js, nad then the inter mingling like if vbscript later on run powershell or load a .net assembly

0xall0c 06-15-2022 23:32
vbscript dumping supprt added, check it out!

edit:
jscript support also added

0xall0c 10-18-2022 19:40
added powershell support :P


All times are GMT +8. The time now is 00:20.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX