//delegate preperation & JIT Stack fixes private unsafe void PreJit() { Win32.Print("PreJIT: FindMatchingMethods"); MethodInfo method = typeof(JitEncrypt).GetMethod("FindMethods", BindingFlags.Instance | BindingFlags.NonPublic); RuntimeHelpers.PrepareMethod(method.MethodHandle); Win32.Print("PreJIT: ContainsKey"); method = typeof(Dictionary <long, JitMethodBase>).GetMethod("ContainsKey", BindingFlags.Instance | BindingFlags.Public); RuntimeHelpers.PrepareMethod(method.MethodHandle); Win32.Print("PreJIT: FindMatchingMethods [Call]"); //--- Note the following requests are required to prevent stack overflow exceptions on some deep .net methods that they call Data.CorMethodInfo64 methodInfo = new Data.CorMethodInfo64() //--- create fake data structure pointing to our fake method { moduleHandle = new IntPtr(int.MaxValue), methodHandle = new IntPtr(int.MaxValue - 0x06000000) }; JitMethodBase temp = new JitMethodBase(methodInfo.moduleHandle, int.MaxValue, method, new ClrEncrypted(EncryptionType.aes, false)); //--- define our fake method JitMethodBase temp2 = new JitMethodBase(methodInfo.moduleHandle, int.MaxValue, method, new MethodHash("fake method hash")); //--- define our fake method long value = temp.hMODULE.ToInt64() + temp.Token; //--- calculate our fake method's lookup token EncryptedMethods.Add(value, temp); //--- add our fake method to our dictioanry HashedMethods.Add(value, temp2); FindMethods(&methodInfo); // use FindMethods to PreJit the entire chain EncryptedMethods.Clear(); //--- clear our dictionary of our fake method to prevent issues HashedMethods.Clear(); if (AntiDebug.DetectDebuggers()) { Win32.Print("Debugger Present"); SafeCrash.ForceCrash(); } }
//delegate preperation & JIT Stack fixes private unsafe void PreJit() { Win32.Print("PreJIT: FindMatchingMethods"); MethodInfo method = typeof(JitEncrypt).GetMethod("FindMethods", BindingFlags.Instance | BindingFlags.NonPublic); System.Runtime.CompilerServices.RuntimeHelpers.PrepareMethod(method.MethodHandle); Win32.Print("PreJIT: DoesMatch"); method = typeof(JitMethodBase).GetMethod("DoesMatch", BindingFlags.Instance | BindingFlags.Public); System.Runtime.CompilerServices.RuntimeHelpers.PrepareMethod(method.MethodHandle); Win32.Print("PreJIT: FindMatchingMethods [Call]"); //--- Note the following requests are required to prevent stack overflow exceptions on some deep .net methods that they call Data.CorMethodInfo64 methodInfo = new Data.CorMethodInfo64() { moduleHandle = IntPtr.Zero, methodHandle = IntPtr.Zero }; FindMethods(&methodInfo); Win32.Print("PreJIT: DoesMatch [Call]"); JitMethodBase temp = new JitMethodBase(method.Module.GetHMODULE(), method.MetadataToken, method, new ClrEncrypted(EncryptionType.aes, false)); temp.DoesMatch(IntPtr.Zero, 0); if (AntiDebug.DetectDebuggers()) { Win32.Print("Debugger Present"); SafeCrash.ForceCrash(); } }
private unsafe int ClrCompile64(IntPtr thisPtr, [In] IntPtr corJitInfo, [In] Data.CorMethodInfo64 *methodInfo, Data.CorJitFlag flags, [Out] IntPtr nativeEntry, [Out] IntPtr nativeSizeOfCode) { JitMethodBase[] compiling_methods = FindMethods(methodInfo); //IntPtr corJitInfo_vTable = Marshal.ReadIntPtr(corJitInfo); if (compiling_methods.Length != 0) { //detect debuggers if (AntiDebug.DetectDebuggers()) { Win32.Print("On Compile - Debugger Present"); SafeCrash.ForceCrash(); } JitMethodBase method_base = compiling_methods[0]; Win32.Print($"Compiling: {method_base.Method.Name}"); if (compiling_methods.Length == 1) { //--- one matching method, HandleCompile we determine what to do HandleCompile(method_base, methodInfo); } else { //--- two matching methods, must handle decryption before hashing foreach (JitMethodBase method in compiling_methods) { if (method is EncryptedMethod encrypted) { HandleCompile(encrypted, methodInfo); break; } } foreach (JitMethodBase method in compiling_methods) { if (method is HashedMethod hashed) { HandleCompile(hashed, methodInfo); break; } } } } return(_jitHook64.OriginalCompileMethod(thisPtr, corJitInfo, methodInfo, flags, nativeEntry, nativeSizeOfCode)); }