Exetools  

Go Back   Exetools > General > Source Code

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 02-16-2022, 17:54
0xall0c 0xall0c is offline
Friend
 
Join Date: Mar 2018
Posts: 57
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 25
Thanks Rcvd at 49 Times in 29 Posts
0xall0c Reputation: 4
Dump .net Assembly from c++ Loaders

Simple program to dump .net assembly,

uses hooking instead of a debugger

https://github.com/0x410c/ClrDumper
Reply With Quote
The Following 2 Users Gave Reputation+1 to 0xall0c For This Useful Post:
Shub-Nigurrath (02-16-2022), user1 (04-06-2022)
The Following 8 Users Say Thank You to 0xall0c For This Useful Post:
ahmadmansoor (03-01-2022), besoeso (04-06-2022), Dr.FarFar (02-20-2022), Fyyre (02-23-2022), kurt28 (04-11-2022), Mahmoudnia (04-06-2022), tonyweb (02-18-2022), user1 (04-06-2022)
  #2  
Old 04-06-2022, 00:44
iNomex iNomex is offline
Friend
 
Join Date: Jul 2021
Posts: 7
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 2
Thanks Rcvd at 12 Times in 5 Posts
iNomex Reputation: 1
This seems really interesting, so it might work on x22 Loader as example? Have no Subscription to test it yet.
Reply With Quote
  #3  
Old 04-14-2022, 16:54
0xall0c 0xall0c is offline
Friend
 
Join Date: Mar 2018
Posts: 57
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 25
Thanks Rcvd at 49 Times in 29 Posts
0xall0c Reputation: 4
i dont know about x22 loader, but to just give it clarity, the tool hooks a function SafeArrayUnaccessData which is called after the assembly bytes are placed in the buffer to load, with this function hooked the paramater to this function points to an array of byes of assembly, which then are written to disk by the tool.

Can be used to dump assemblies from a native loader, or in case from .net crypters, obfuscators etc. because there is no debugger or anything else, it basically just works with complex samples too.

Last edited by 0xall0c; 04-14-2022 at 17:00.
Reply With Quote
  #4  
Old 05-24-2022, 19:07
0xall0c 0xall0c is offline
Friend
 
Join Date: Mar 2018
Posts: 57
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 25
Thanks Rcvd at 49 Times in 29 Posts
0xall0c Reputation: 4
new release, now u can dump assemblies loaded from Assembly.Load(byte[]), from managed assemblies!
Reply With Quote
The Following User Says Thank You to 0xall0c For This Useful Post:
user_hidden (05-24-2022)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On



All times are GMT +8. The time now is 12:11.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2022 )