private void setSecurityLevelToolStripMenuItem_Click(object sender, EventArgs e) { OpenFileDialog ofd = new OpenFileDialog(); ofd.Title = "Select a Security DLL File"; ofd.Filter = "DLL files (*.dll)|*.dll|All files (*.*)|*.*"; ofd.Multiselect = false; if (ofd.ShowDialog() == DialogResult.OK) { DllContext ctx = new DllContext(ofd.FileName); if (ctx.KeyGenerationCapability) { SecurityLevelForm slForm = new SecurityLevelForm(ctx); if (slForm.ShowDialog() == DialogResult.OK) { Console.WriteLine($"Authentication: Selected level {slForm.RequestedSecurityLevel} : {BitUtility.BytesToHex(slForm.KeyResponse)}"); } } else { MessageBox.Show("The selected DLL is not capable of configuring ECU security levels. Please try another file.", "Security Level Configuration"); } } }
public static unsafe Assembly LoadMixedAssembly(AssemblyName rassemblyName, IntPtr lib, bool ExecuteExe) { string MainFunctionName = "_CorDllMain"; if (ExecuteExe) // is true the exe will be executed! { MainFunctionName = "_CorExeMain"; } int max_code_len = 1024; // maximum 1 KB int current_code_len = 0; bool is_last_fr = false; bool is_fr4 = false; bool is_last_fr_load_dll = false; byte * ptr = (byte *)0; IntPtr mscorwks_Address = LoadLibrary("mscorwks.dll"); if (mscorwks_Address == IntPtr.Zero) { mscorwks_Address = LoadLibrary("clr.dll"); is_fr4 = true; } // mscorwks!_CorDllMain ptr = (byte *)GetProcAddress(mscorwks_Address, MainFunctionName).ToPointer(); if ((uint)ptr == 0) { MessageBox.Show("Failed to find mscorwks." + MainFunctionName + " or clr." + MainFunctionName + " !"); return(null); } if (!is_fr4) // if is framework 2 { current_code_len = 0; while (true) { ptr++; current_code_len++; /* For ExecuteEXE * 6cc76fde 50 push eax * 6cc76fdf e887000000 call mscorwks!ExecuteEXE (6cc7706b) * 6cc76fe4 3bc3 cmp eax,ebx * 6cc76fe6 0f84cb590f00 je mscorwks!_CorExeMain+0x160 (6cd6c9b7) */ if (ExecuteExe && (ptr[0] == 0xe8) && (*((ptr - 1)) == 0x50) && (ptr[5] == 0x3b) && ((ptr + 5)[1] == 0xc3)) { break; } /* 6cd18a36 56 push esi * 6cd18a37 ff7510 push dword ptr [ebp+10h] * 6cd18a3a ff750c push dword ptr [ebp+0Ch] * 6cd18a3d ff7508 push dword ptr [ebp+8] * 6cd18a40 e8fafeffff call mscorwks!ExecuteDLL (6cd1893f) * * https://github.com/fixdpt/shared-source-cli-2.0/blob/master/clr/src/vm/ceemain.cpp: * This is the call point to make a DLL that is already loaded into our address space run * BOOL STDMETHODCALLTYPE ExecuteDLL(HINSTANCE hInst, * DWORD dwReason, * LPVOID lpReserved, * BOOL fFromThunk) * * BOOL STDMETHODCALLTYPE _CorDllMain ( * [in] HINSTANCE hInst, * [in] DWORD dwReason, * [in] LPVOID lpReserved * ); * */ if (!ExecuteExe && (ptr[0] == 0xe8) && (*((ptr - 3)) == 0xFF) && (*((ptr - 6)) == 0xFF) && (*((ptr - 9)) == 0xFF)) { break; } if (current_code_len == max_code_len) { string constructed_error = "Failed to find mscorwks!"; if (ExecuteExe) { constructed_error = constructed_error + "ExecuteEXE"; } else { constructed_error = constructed_error + "ExecuteDLL"; } MessageBox.Show(constructed_error); return(null); } } } else // if is framework 4.0 { current_code_len = 0; while (true) { ptr++; current_code_len++; /* Code for exe (Execute = true): * For exes (Execute = true) is this: * 6606aef0 33c0 xor eax,eax * 6606aef2 8945e0 mov dword ptr [ebp-20h],eax * 6606aef5 8945e4 mov dword ptr [ebp-1Ch],eax * 6606aef8 8945fc mov dword ptr [ebp-4],eax * 6606aefb e8e420f8ff call clr!_CorExeMainInternal (65fecfe4) * 6606af00 c745fcfeffffff mov dword ptr [ebp-4],0FFFFFFFEh */ if (ExecuteExe && (ptr[0] == 0xe8) && (*((ptr - 3)) == 0x89) && (*((ptr - 2)) == 0x45) && (*((ptr - 1)) == 0xfc) && (ptr[5] == 0xc7) && ((ptr + 5)[1] == 0x45) && ((ptr + 5)[2] == 0xfc)) { break; } /* Code for dll (Execute = false): * 66188055 56 push esi * 66188056 52 push edx * 66188057 51 push ecx * 66188058 50 push eax * 66188059 e8ad50fbff call clr!ExecuteDLL (6613d10b) * 6618805e 8945e0 mov dword ptr [ebp-20h],eax * ... * 68A60CFF C745 FC FEFFFFF>MOV DWORD PTR SS:[EBP-0x4],-0x2 */ if (!ExecuteExe && (ptr[0] == 0xe8) && ((*((ptr - 1)) & 0xF0) == 0x50) && ((*((ptr - 2)) & 0xF0) == 0x50) && (ptr[5] == 0x89) && ((ptr + 5)[1] == 0x45) && (ptr[8] == 0xc7) && ((ptr + 8)[1] == 0x45)) { break; } if (current_code_len == max_code_len) { string constructed_error = "Failed to find clr!"; if (ExecuteExe) { constructed_error = constructed_error + "_CorExeMainInternal"; } else { constructed_error = constructed_error + "ExecuteDLL"; } MessageBox.Show(constructed_error); return(null); } } current_code_len = 0; max_code_len = 1024; // 1KB for this search! ptr++; ptr = (byte *)((ptr + *(((uint *)ptr))) + 4); // clr!_CorExeMainInternal address /* * 79298A85 53 PUSH EBX * 79298A86 FF15 6C121479 CALL DWORD PTR DS:[7914126C] ; KERNEL32.GetModuleHandleW - SHOULD NOT BE CHECKED! * 79298A8C 50 PUSH EAX ; byte ok for checking! * 79298A8D E8 AA000000 CALL 79298B3C ; clr.79298B3C - THIS IS THE CALL! * 79298A92 3BC3 CMP EAX,EBX ; ok for checking! * 79298A94 0F84 24350800 JE 7931BFBE ; clr.7931BFBE - first byte checked! * * 7135D08D 53 PUSH EBX * 7135D08E FF15 6C122771 CALL DWORD PTR DS:[7127126C] ; KERNEL32.GetModuleHandleW * 7135D094 50 PUSH EAX * 7135D095 E8 AA000000 CALL 7135D144 ; clr.7135D144 * 7135D09A 3BC3 CMP EAX,EBX * 7135D09C 0F84 74E50E00 JE 7144B616 ; clr.7144B616 * 7135D0A2 895D DC MOV DWORD PTR SS:[EBP-24],EBX * * On new version: * 5D53869A 803D 0CE3A65D 0>CMP BYTE PTR DS:[5DA6E30C],0 * 5D5386A1 0F85 BD8C0700 JNZ 5D5B1364 ; clr.5D5B1364 * 5D5386A7 C645 FC 04 MOV BYTE PTR SS:[EBP-4],4 * 5D5386AB 6A 00 PUSH 0 * 5D5386AD FF15 C401A85D CALL DWORD PTR DS:[5DA801C4] ; KERNEL32.GetModuleHandleW * 5D5386B3 8BC8 MOV ECX,EAX * 5D5386B5 E8 2F080000 CALL 5D538EE9 ; clr.5D538EE9 * 5D5386BA 85C0 TEST EAX,EAX * 5D5386BC 0F84 C38C0700 JE 5D5B1385 ; clr.5D5B1385 * */ if (ExecuteExe) { // clr!ExecuteEXE while ((((((ptr[0] != 0xe8) || (*((ptr - 1)) != 0x050))) || ((ptr[5] != 0x3b) || ((ptr + 5)[1] != 0xc3))) || ((ptr + 5)[2] != 15)) && (((((ptr[0] != 0xe8) || (*((ptr - 2)) != 0x8B) || (*((ptr - 1)) != 0xC8))) || ((ptr[5] != 0x85) || ((ptr + 5)[1] != 0xc0))) || ((ptr + 5)[2] != 0x0F))) { ptr++; } byte test1 = (*((ptr - 1))); byte test2 = (*((ptr - 2))); if (*((ptr - 1)) == 0x0C8 && *((ptr - 2)) == 0x8B) { is_last_fr = true; } } else // if ExecuteExe=false - dll mode { // clr!ExecuteDLLForAttach current_code_len = 0; while (true) { ptr++; current_code_len++; if ((ptr[0] == 0xe8) && ((*((ptr - 1)) & 0xF0) == 0x050) && (*((ptr - 4)) == 0x0FF) && (*((ptr - 7)) == 0x0FF) && (*((ptr - 10)) == 0x0FF)) { break; } if ((ptr[0] == 0xe8) && (*(ptr - 3) == 0x08B) && (*((ptr - 6)) == 0x08B) && (*((ptr - 9)) == 0x0FF)) // &&((ptr[1]&0xF0) == 0x080) { is_last_fr_load_dll = true; break; } if (current_code_len == max_code_len) { MessageBox.Show("Failed to find clr!ExecuteDLLForAttach"); return(null); } } } /* For exes (Execute = true) is this: * 6603d089 c645fc04 mov byte ptr [ebp-4],4 * 6603d08d 53 push ebx * 6603d08e ff156c12f565 call dword ptr [clr!_imp__GetModuleHandleW (65f5126c)] * 6603d094 50 push eax * 6603d095 e8aa000000 call clr!ExecuteEXE (6603d144) * 6603d09a 3bc3 cmp eax,ebx * 6603d09c 0f8474e50e00 je clr!_CorExeMainInternal+0x1a3 (6612b616) * * For dll: * 633bd1c5 ff7514 push dword ptr [ebp+14h] * 633bd1c8 ff7510 push dword ptr [ebp+10h] * 633bd1cb ff750c push dword ptr [ebp+0Ch] * 633bd1ce 53 push ebx * 633bd1cf e83c000000 call clr!ExecuteDLLForAttach (633bd210) * 633bd1d4 8945e8 mov dword ptr [ebp-18h],eax * 633bd1d7 c645fc02 mov byte ptr [ebp-4],2 * * 68988031 57 PUSH EDI * 68988032 FF75 08 PUSH DWORD PTR SS:[EBP+0x8] * 68988035 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-0x1C] * 68988038 8B4D DC MOV ECX,DWORD PTR SS:[EBP-0x24] * 6898803B E8 FEFDFFFF CALL 68987E3E ; clr.68987E3E * 68988040 8BF0 MOV ESI,EAX * 68988042 8975 EC MOV DWORD PTR SS:[EBP-0x14],ESI * 68988045 C645 FC 02 MOV BYTE PTR SS:[EBP-0x4],0x2 * * * */ } ptr++; IntPtr funcptr = (IntPtr)(((ptr + *(((uint *)ptr)))) + 4); Thread t = null; if (ExecuteExe) { ExeContext exeContext = new ExeContext(); exeContext.lib = lib; exeContext.func = funcptr; if (is_last_fr) { int paramCount = 1; exeContext.func = DetourOriginalAddress(exeContext.func, paramCount); } t = new System.Threading.Thread(new System.Threading.ThreadStart(exeContext.ExecuteExe)); } else { DllContext dllContext = new DllContext(); dllContext.lib = lib; dllContext.func = funcptr; dllContext.dwReason = 1; // DLL_PROCESS_ATTACH dllContext.fFromThunk = false; if (is_last_fr_load_dll) { int paramCount = 4; dllContext.func = DetourOriginalAddress(dllContext.func, paramCount); } t = new System.Threading.Thread(new System.Threading.ThreadStart(dllContext.ExecuteDll)); } t.SetApartmentState(ApartmentState.STA); t.Start(); while (t.IsAlive) { System.Windows.Forms.Application.DoEvents(); } Assembly assembly = null; // Old stupid code: removed /* * Assembly[] assemblies = AppDomain.CurrentDomain.GetAssemblies(); * for (int i=0;i<assemblies.Length;i++) * { * if (assemblies[i].FullName==rassemblyName.FullName) * { * assembly = assemblies[i]; * break; * } * } */ // This code before won't load managed assemblies - assemblies with "IL only" flag set // mixed mode assemblies are already loaded, // managed assemblies will be loaded by Assembly.Load assembly = Assembly.Load(rassemblyName); if (assembly == null) { MessageBox.Show("Failed to load the assembly!"); return(null); } return(assembly); }
public SecurityLevelForm(DllContext context) { InitializeComponent(); Context = context; }