Exetools  

Go Back   Exetools > General > Source Code

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 02-16-2022, 17:54
0xall0c 0xall0c is offline
Friend
 
Join Date: Mar 2018
Posts: 67
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 25
Thanks Rcvd at 65 Times in 35 Posts
0xall0c Reputation: 4
Dump .net Assembly from c++ Loaders

Simple program to dump .net assembly,

uses hooking instead of a debugger

https://github.com/0x410c/ClrDumper
Reply With Quote
The Following 2 Users Gave Reputation+1 to 0xall0c For This Useful Post:
Shub-Nigurrath (02-16-2022), user1 (04-06-2022)
The Following 13 Users Say Thank You to 0xall0c For This Useful Post:
ahmadmansoor (03-01-2022), besoeso (04-06-2022), dnvthv (06-03-2022), Dr.FarFar (02-20-2022), Fyyre (02-23-2022), h4sh3m (10-18-2022), kurt28 (04-11-2022), Mahmoudnia (04-06-2022), pnta (08-25-2022), skypeaful (06-06-2022), tonyweb (02-18-2022), user1 (04-06-2022), WRP (10-19-2022)
  #2  
Old 04-06-2022, 00:44
iNomex iNomex is offline
Friend
 
Join Date: Jul 2021
Posts: 7
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 2
Thanks Rcvd at 14 Times in 5 Posts
iNomex Reputation: 1
This seems really interesting, so it might work on x22 Loader as example? Have no Subscription to test it yet.
Reply With Quote
  #3  
Old 04-14-2022, 16:54
0xall0c 0xall0c is offline
Friend
 
Join Date: Mar 2018
Posts: 67
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 25
Thanks Rcvd at 65 Times in 35 Posts
0xall0c Reputation: 4
i dont know about x22 loader, but to just give it clarity, the tool hooks a function SafeArrayUnaccessData which is called after the assembly bytes are placed in the buffer to load, with this function hooked the paramater to this function points to an array of byes of assembly, which then are written to disk by the tool.

Can be used to dump assemblies from a native loader, or in case from .net crypters, obfuscators etc. because there is no debugger or anything else, it basically just works with complex samples too.

Last edited by 0xall0c; 04-14-2022 at 17:00.
Reply With Quote
The Following User Says Thank You to 0xall0c For This Useful Post:
niculaita (06-09-2022)
  #4  
Old 05-24-2022, 19:07
0xall0c 0xall0c is offline
Friend
 
Join Date: Mar 2018
Posts: 67
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 25
Thanks Rcvd at 65 Times in 35 Posts
0xall0c Reputation: 4
new release, now u can dump assemblies loaded from Assembly.Load(byte[]), from managed assemblies!
Reply With Quote
The Following 4 Users Say Thank You to 0xall0c For This Useful Post:
besoeso (06-10-2022), niculaita (06-09-2022), user_hidden (05-24-2022), wilson bibe (05-25-2022)
  #5  
Old 06-09-2022, 19:05
Ethereal Ethereal is offline
Friend
 
Join Date: Jun 2014
Location: Out Sweden
Posts: 64
Rept. Given: 2
Rept. Rcvd 25 Times in 7 Posts
Thanks Given: 18
Thanks Rcvd at 144 Times in 35 Posts
Ethereal Reputation: 26
Quote:
Originally Posted by 0xall0c View Post
i dont know about x22 loader, but to just give it clarity, the tool hooks a function SafeArrayUnaccessData which is called after the assembly bytes are placed in the buffer to load, with this function hooked the paramater to this function points to an array of byes of assembly, which then are written to disk by the tool.

Can be used to dump assemblies from a native loader, or in case from .net crypters, obfuscators etc. because there is no debugger or anything else, it basically just works with complex samples too.
Doing that way should be really effective against obfuscators and packers. Have you had any chance to try it against VM obfuscators like Agile.NET or EAZfuscator?

Excellent work btw. Thank you.
Reply With Quote
  #6  
Old 06-14-2022, 00:42
0xall0c 0xall0c is offline
Friend
 
Join Date: Mar 2018
Posts: 67
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 25
Thanks Rcvd at 65 Times in 35 Posts
0xall0c Reputation: 4
i have tried it with a sample of confuserex i guess, not sure if it was confuserEx,didnt test against anything else, if you could provide samples, may be i can test
Reply With Quote
  #7  
Old 06-14-2022, 17:33
0xall0c 0xall0c is offline
Friend
 
Join Date: Mar 2018
Posts: 67
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 25
Thanks Rcvd at 65 Times in 35 Posts
0xall0c Reputation: 4
I am thinking to add dumping of jscript,vbscript from processes, so it will be able to dump vba code for example from office applicaiton, anyone thinks it will be usefull?
Reply With Quote
  #8  
Old 06-14-2022, 20:51
DARKER DARKER is offline
VIP
 
Join Date: Jul 2004
Location: Somewhere Over the Rainbow
Posts: 454
Rept. Given: 15
Rept. Rcvd 119 Times in 51 Posts
Thanks Given: 11
Thanks Rcvd at 731 Times in 194 Posts
DARKER Reputation: 100-199 DARKER Reputation: 100-199
Yes, i think it can be useful. Can you specify what kind of data output format will have dumps? (already compiled binary or pure vbscript ...)
Reply With Quote
  #9  
Old 06-15-2022, 00:09
0xall0c 0xall0c is offline
Friend
 
Join Date: Mar 2018
Posts: 67
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 25
Thanks Rcvd at 65 Times in 35 Posts
0xall0c Reputation: 4
pure vbscript or jscript, also im thinking of a monitor mode, which will decrypt and dump diffrent layers of the script, something like when the code decrypts and evals it!
Reply With Quote
  #10  
Old 06-15-2022, 04:17
DARKER DARKER is offline
VIP
 
Join Date: Jul 2004
Location: Somewhere Over the Rainbow
Posts: 454
Rept. Given: 15
Rept. Rcvd 119 Times in 51 Posts
Thanks Given: 11
Thanks Rcvd at 731 Times in 194 Posts
DARKER Reputation: 100-199 DARKER Reputation: 100-199
exactly, about that i was thinking ... maybe add some powershell stuff?
Reply With Quote
  #11  
Old 06-15-2022, 14:26
0xall0c 0xall0c is offline
Friend
 
Join Date: Mar 2018
Posts: 67
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 25
Thanks Rcvd at 65 Times in 35 Posts
0xall0c Reputation: 4
powershell stuff can you elaborate? like dumping if a process create a powershell process and tries to execute powershell script?
Reply With Quote
  #12  
Old 06-15-2022, 15:31
DARKER DARKER is offline
VIP
 
Join Date: Jul 2004
Location: Somewhere Over the Rainbow
Posts: 454
Rept. Given: 15
Rept. Rcvd 119 Times in 51 Posts
Thanks Given: 11
Thanks Rcvd at 731 Times in 194 Posts
DARKER Reputation: 100-199 DARKER Reputation: 100-199
Create a powershell process is not a problem, maybe some "EVAL" stuff if it's even possible. But i don't know if its "compiled" in one shot or its divided in multiple "evaluation batches" in whole execution process (this can be also based on multiple eval techniques)

In past i have one ps that has 3 layers of "eval" obfuscations.
Reply With Quote
  #13  
Old 06-15-2022, 17:48
0xall0c 0xall0c is offline
Friend
 
Join Date: Mar 2018
Posts: 67
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 25
Thanks Rcvd at 65 Times in 35 Posts
0xall0c Reputation: 4
ohh got the idea, sure i can add that too after vbscript and js, nad then the inter mingling like if vbscript later on run powershell or load a .net assembly
Reply With Quote
The Following User Says Thank You to 0xall0c For This Useful Post:
DARKER (06-15-2022)
  #14  
Old 06-15-2022, 23:32
0xall0c 0xall0c is offline
Friend
 
Join Date: Mar 2018
Posts: 67
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 25
Thanks Rcvd at 65 Times in 35 Posts
0xall0c Reputation: 4
vbscript dumping supprt added, check it out!

edit:
jscript support also added

Last edited by 0xall0c; 06-16-2022 at 19:27. Reason: new info
Reply With Quote
The Following User Says Thank You to 0xall0c For This Useful Post:
besoeso (06-16-2022)
  #15  
Old 10-18-2022, 19:40
0xall0c 0xall0c is offline
Friend
 
Join Date: Mar 2018
Posts: 67
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 25
Thanks Rcvd at 65 Times in 35 Posts
0xall0c Reputation: 4
added powershell support :P
Reply With Quote
The Following 3 Users Say Thank You to 0xall0c For This Useful Post:
besoeso (10-18-2022), tonyweb (10-18-2022), wilson bibe (10-21-2022)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On



All times are GMT +8. The time now is 17:58.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )