Dump .net Assembly from c++ Loaders

[0xall0c]

Simple program to dump .net assembly,

uses hooking instead of a debugger

https://github.com/0x410c/ClrDumper

[iNomex]

This seems really interesting, so it might work on x22 Loader as example? Have no Subscription to test it yet.

[0xall0c]

i dont know about x22 loader, but to just give it clarity, the tool hooks a function SafeArrayUnaccessData which is called after the assembly bytes are placed in the buffer to load, with this function hooked the paramater to this function points to an array of byes of assembly, which then are written to disk by the tool.

Can be used to dump assemblies from a native loader, or in case from .net crypters, obfuscators etc. because there is no debugger or anything else, it basically just works with complex samples too.

[0xall0c]

new release, now u can dump assemblies loaded from Assembly.Load(byte[]), from managed assemblies!

[Ethereal]

Quote:

Originally Posted by 0xall0c

i dont know about x22 loader, but to just give it clarity, the tool hooks a function SafeArrayUnaccessData which is called after the assembly bytes are placed in the buffer to load, with this function hooked the paramater to this function points to an array of byes of assembly, which then are written to disk by the tool.

Can be used to dump assemblies from a native loader, or in case from .net crypters, obfuscators etc. because there is no debugger or anything else, it basically just works with complex samples too.

Doing that way should be really effective against obfuscators and packers. Have you had any chance to try it against VM obfuscators like Agile.NET or EAZfuscator?

Excellent work btw. Thank you.

[0xall0c]

i have tried it with a sample of confuserex i guess, not sure if it was confuserEx,didnt test against anything else, if you could provide samples, may be i can test

[0xall0c]

I am thinking to add dumping of jscript,vbscript from processes, so it will be able to dump vba code for example from office applicaiton, anyone thinks it will be usefull?

[DARKER]

Yes, i think it can be useful. Can you specify what kind of data output format will have dumps? (already compiled binary or pure vbscript ...)

[0xall0c]

pure vbscript or jscript, also im thinking of a monitor mode, which will decrypt and dump diffrent layers of the script, something like when the code decrypts and evals it!

[DARKER]

exactly, about that i was thinking ... maybe add some powershell stuff?

[0xall0c]

powershell stuff can you elaborate? like dumping if a process create a powershell process and tries to execute powershell script?

[DARKER]

Create a powershell process is not a problem, maybe some "EVAL" stuff if it's even possible. But i don't know if its "compiled" in one shot or its divided in multiple "evaluation batches" in whole execution process (this can be also based on multiple eval techniques)

In past i have one ps that has 3 layers of "eval" obfuscations.

[0xall0c]

ohh got the idea, sure i can add that too after vbscript and js, nad then the inter mingling like if vbscript later on run powershell or load a .net assembly

[0xall0c]

vbscript dumping supprt added, check it out!

edit:
jscript support also added

[0xall0c]

added powershell support :P