Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- //SOURCE: http://www.reteam.org/board/archive/index.php?t-2562.html
- //DNGuard uses some tricks to stop naive generic JIT-hook-based unpackers from working. Example code from lgcoree.cpp by Daniel Pistelli:
- int __stdcall my_compileMethod(ULONG_PTR classthis, ICorJitInfo *comp, CORINFO_METHOD_INFO *info, unsigned flags, BYTE **nativeEntry, ULONG *nativeSizeOfCode)
- ...
- // call original method
- int nRet = compileMethod(classthis, comp, info, flags, nativeEntry, nativeSizeOfCode); //Bug1: errorcode is not checked
- DisplayMethodAndCalls(comp, info);
- ...
- return nRet;
- }
- VOID DisplayMethodAndCalls(ICorJitInfo *comp, CORINFO_METHOD_INFO *info)
- {
- ...
- szMethodName = comp->getMethodName(info->ftn, &szClassName); //Bug2: CRASH!
- ...
- }
- /*
- Bug 1: on first pass, DNGuard sends invalid IL to JIT. Unpacker should check the return value and handle error appropriately. Lgcoree dumps the invalid IL instead.
- Bug 2: DNGuard passes evil CORINFO_METHOD_HANDLE to JIT compiler. Specifically, ICorMethodInfo->getMethodName() is invalid. Lgcoree does not check that and crashes with access violation. Proper unpacker should always call ICorMethodInfo->getMethodName() from .NET framework or use method tokens instead of names.
- Have fun!*/
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
