private static void SerializeImageToDisk( DevirtualisationOptions options, DevirtualisationContext context, ModuleDefinition module, string fileName) { var imageBuilder = new ManagedPEImageBuilder(); var result = imageBuilder.CreateImage(module); if (result.DiagnosticBag.IsFatal) { throw new AggregateException(result.DiagnosticBag.Exceptions); } foreach (var error in result.DiagnosticBag.Exceptions) { context.Logger.Error(Tag, error.Message); } var fileBuilder = new ManagedPEFileBuilder(); var file = fileBuilder.CreateFile(result.ConstructedImage); file.Write(Path.Combine(options.OutputOptions.RootDirectory, fileName)); }
/// <summary> /// Saves Assembly After Modifications /// </summary> public void SaveContext() { string NewPath = PathIs.Insert(PathIs.Length - 4, "HereWeGo"); // Thx 4 drakoniа#0601 for the insert trick :D if (DnModule != null) { if (DnModule.IsILOnly) { var MangedWriter = new ModuleWriterOptions(DnModule) { Logger = DummyLogger.NoThrowInstance, MetadataOptions = { Flags = MetadataFlags.PreserveAll } }; DnModule.Write(NewPath.Replace("HereWeGo", "-DnLibed"), MangedWriter); Log.Info("Done Saved Manged Dnlib Module"); } else { var UnMangedWriter = new NativeModuleWriterOptions(DnModule, false) { Logger = DummyLogger.NoThrowInstance, MetadataOptions = { Flags = MetadataFlags.PreserveAll } }; DnModule.NativeWrite(NewPath.Replace("HereWeGo", "-DnLibed"), UnMangedWriter); Log.Info("Done Saved Native Dnlib Module"); } } if (AsmModule != null) { var IMPEIB = new ManagedPEImageBuilder() { DotNetDirectoryFactory = new DotNetDirectoryFactory() { MetadataBuilderFlags = MetadataBuilderFlags.PreserveAll, MethodBodySerializer = new CilMethodBodySerializer { ComputeMaxStackOnBuildOverride = false } } }; var IR = IMPEIB.CreateImage(AsmModule); var FBuilder = new ManagedPEFileBuilder(); var File = FBuilder.CreateFile(IR.ConstructedImage); if (!IR.DiagnosticBag.IsFatal) { File.Write(NewPath.Replace("HereWeGo", "-AsmResolved")); // Ignore Errors. } else { AsmModule.Write(NewPath.Replace("HereWeGo", "-AsmResolved"), IMPEIB); } Log.Info("Done Saved AsmResolver Module"); } }
public void NativeBodyWithCall() { Skip.IfNot(RuntimeInformation.IsOSPlatform(OSPlatform.Windows), NonWindowsPlatform); Skip.IfNot(Environment.Is64BitOperatingSystem, Non64BitPlatform); // Read image var image = PEImage.FromBytes(Properties.Resources.TheAnswer_NetFx); var module = new ImportedModule("api-ms-win-crt-stdio-l1-1-0.dll"); image.Imports.Add(module); var function = new ImportedSymbol(0x4fc, "puts"); module.Symbols.Add(function); var body = new CodeSegment(image.ImageBase, new byte[] { /* 00: */ 0x48, 0x83, 0xEC, 0x28, // sub rsp, 0x28 /* 04: */ 0x48, 0x8D, 0x0D, 0x10, 0x00, 0x00, 0x00, // lea rcx, qword [rel str] /* 0B: */ 0xFF, 0x15, 0x00, 0x00, 0x00, 0x00, // call qword [rel puts] /* 11: */ 0xB8, 0x37, 0x13, 0x00, 0x00, // mov eax, 0x1337 /* 16: */ 0x48, 0x83, 0xC4, 0x28, // add rsp, 0x28 /* 1A: */ 0xC3, // ret // str: 0x48, 0x65, 0x6c, 0x6c, 0x6f, 0x20, 0x66, // "Hello f" 0x72, 0x6f, 0x6d, 0x20, 0x74, 0x68, 0x65, // "rom the" 0x20, 0x75, 0x6e, 0x6d, 0x61, 0x6e, 0x61, // " unmana" 0x67, 0x65, 0x64, 0x20, 0x77, 0x6f, 0x72, // "ged wor" 0x6c, 0x64, 0x21, 0x00 // "ld!" }); // Fixup puts call. body.AddressFixups.Add(new AddressFixup( 0xD, AddressFixupType.Relative32BitAddress, function )); // Replace body. ReplaceBodyWithNativeCode(image, body, false); // Rebuild var builder = new ManagedPEFileBuilder(); var peFile = builder.CreateFile(image); // Verify string expectedOutput = "Hello from the unmanaged world!\r\nThe answer to life, universe and everything is 4919\r\n"; _fixture .GetRunner <FrameworkPERunner>() .RebuildAndRun(peFile, "TheAnswer", expectedOutput); }
public override void Execute() { InjectLoader(_stubModule, typeof(PeSectionLoader)); var peImage = _stubModule.ToPEImage(); var fileBuilder = new ManagedPEFileBuilder(); var peFile = fileBuilder.CreateFile(peImage); var section = new PESection(Name, SectionFlags.MemoryRead | SectionFlags.MemoryWrite | SectionFlags.ContentUninitializedData, new DataSegment(Payload.Compress(Name))); peFile.Sections.Add(section); peFile.Write(OutputPath); }
private static IPEImage RebuildAndReloadManagedPE(IPEImage image) { // Build. using var tempStream = new MemoryStream(); var builder = new ManagedPEFileBuilder(); var newPeFile = builder.CreateFile(image); newPeFile.Write(new BinaryStreamWriter(tempStream)); // Reload. var newImage = PEImage.FromBytes(tempStream.ToArray()); return(newImage); }
public void NativeBodyWithCallX86() { Skip.IfNot(RuntimeInformation.IsOSPlatform(OSPlatform.Windows), NonWindowsPlatform); // Read image var image = PEImage.FromBytes(Properties.Resources.TheAnswer_NetFx); var module = new ImportedModule("api-ms-win-crt-stdio-l1-1-0.dll"); image.Imports.Add(module); var function = new ImportedSymbol(0x4fc, "puts"); module.Symbols.Add(function); var body = new CodeSegment(image.ImageBase, new byte[] { /* 00: */ 0x55, // push ebp /* 01: */ 0x89, 0xE5, // mov ebp,esp /* 03: */ 0x6A, 0x6F, // push byte +0x6f ; H /* 05: */ 0x68, 0x48, 0x65, 0x6C, 0x6C, // push dword 0x6c6c6548 ; ello /* 0A: */ 0x54, // push esp /* 0B: */ 0xFF, 0x15, 0x00, 0x00, 0x00, 0x00, // call [dword puts] /* 11: */ 0x83, 0xC4, 0x0C, // add esp,byte +0xc /* 14: */ 0xB8, 0x37, 0x13, 0x00, 0x00, // mov eax,0x1337 /* 19: */ 0x5D, // pop ebp /* 1A: */ 0xC3, // ret }); // Fix up puts call. body.AddressFixups.Add(new AddressFixup( 0xD, AddressFixupType.Absolute32BitAddress, function )); image.Relocations.Clear(); image.Relocations.Add(new BaseRelocation(RelocationType.HighLow, new RelativeReference(body, 0xD))); // Replace body. ReplaceBodyWithNativeCode(image, body, true); // Rebuild var builder = new ManagedPEFileBuilder(); var peFile = builder.CreateFile(image); // Verify string expectedOutput = "Hello\r\nThe answer to life, universe and everything is 4919\r\n"; _fixture .GetRunner <FrameworkPERunner>() .RebuildAndRun(peFile, "TheAnswer", expectedOutput); }
public void HelloWorldRebuild64BitNoChange() { // Read image var image = PEImage.FromBytes(Properties.Resources.HelloWorld_X64); // Rebuild var builder = new ManagedPEFileBuilder(); var peFile = builder.CreateFile(image); // Verify _fixture .GetRunner <FrameworkPERunner>() .RebuildAndRun(peFile, "HelloWorld", "Hello World!" + Environment.NewLine); }
public override void Execute() { InjectLoader(_stubModule, typeof(DebugDirLoader)); var peImage = _stubModule.ToPEImage(); peImage.DebugData.Clear(); var segment = new DebugDataEntry(new CustomDebugDataSegment(DebugDataType.Unknown, new DataSegment(Payload.Compress(Name)))); peImage.DebugData.Add(segment); var fileBuilder = new ManagedPEFileBuilder(); var file = fileBuilder.CreateFile(peImage); file.Write(OutputPath); }
public void HelloWorld64BitTo32Bit() { // Read image var image = PEImage.FromBytes(Properties.Resources.HelloWorld_X64); // Change machine type and pe kind to 32-bit image.MachineType = MachineType.I386; image.PEKind = OptionalHeaderMagic.Pe32; // Rebuild var builder = new ManagedPEFileBuilder(); var peFile = builder.CreateFile(image); // Verify _fixture .GetRunner <FrameworkPERunner>() .RebuildAndRun(peFile, "HelloWorld", "Hello World!" + Environment.NewLine); }
public void NativeBodyWithNoCalls() { Skip.IfNot(RuntimeInformation.IsOSPlatform(OSPlatform.Windows), NonWindowsPlatform); Skip.IfNot(Environment.Is64BitOperatingSystem, Non64BitPlatform); // Read image var image = PEImage.FromBytes(Properties.Resources.TheAnswer_NetFx); ReplaceBodyWithNativeCode(image, new CodeSegment(image.ImageBase, new byte[] { 0xb8, 0x39, 0x05, 0x00, 0x00, // mov rax, 1337 0xc3 // ret }), false); // Rebuild var builder = new ManagedPEFileBuilder(); var peFile = builder.CreateFile(image); // Verify _fixture .GetRunner <FrameworkPERunner>() .RebuildAndRun(peFile, "TheAnswer", "The answer to life, universe and everything is 1337\r\n"); }