GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → mandiant → jitm

mandiant / jitm

Licence: Apache-2.0 License
JITM is an automated tool to bypass the JIT Hooking protection on a .NET sample.

Programming Languages

C++
36643 projects - #6 most used programming language
python
139335 projects - #7 most used programming language
C#
18002 projects

Labels

hooksdotnetjitmalware-analysisjit-compilerfireeye-flare

Projects that are alternatives of or similar to jitm

Zetavm
Multi-Language Platform for Dynamic Programming Languages
Stars: ✭ 592 (+2092.59%)
Mutual labels:  jit, jit-compiler
Jitboy
A Game Boy emulator with dynamic recompilation (JIT)
Stars: ✭ 190 (+603.7%)
Mutual labels:  jit, jit-compiler
Jit Compiler
JIT compiler in Go
Stars: ✭ 70 (+159.26%)
Mutual labels:  jit, jit-compiler
Fake
嵌入式脚本语言 Lightweight embedded scripting language
Stars: ✭ 172 (+537.04%)
Mutual labels:  jit, jit-compiler
Batch-First
A JIT compiled chess engine which traverses the search tree in batches in a best-first manner, allowing for neural network batching, asynchronous GPU use, and vectorized CPU computations.
Stars: ✭ 27 (+0%)
Mutual labels:  jit, jit-compiler
Flare Vm
No description or website provided.
Stars: ✭ 3,201 (+11755.56%)
Mutual labels:  malware-analysis, fireeye-flare
Minijit
A basic x86-64 JIT compiler written from scratch in stock Python
Stars: ✭ 185 (+585.19%)
Mutual labels:  jit, jit-compiler
flare-emu
No description or website provided.
Stars: ✭ 561 (+1977.78%)
Mutual labels:  malware-analysis, fireeye-flare
neos
Language agnostic scripting engine with a custom bytecode JIT
Stars: ✭ 36 (+33.33%)
Mutual labels:  jit, jit-compiler
libjit
Unofficial libjit mirror.
Stars: ✭ 46 (+70.37%)
Mutual labels:  jit, jit-compiler
Makin
makin - reveal anti-debugging and anti-VM tricks [This project is not maintained anymore]
Stars: ✭ 645 (+2288.89%)
Mutual labels:  hooks, malware-analysis
kcs
Scripting in C with JIT(x64)/VM.
Stars: ✭ 25 (-7.41%)
Mutual labels:  jit, jit-compiler
stringsifter
A machine learning tool that ranks strings based on their relevance for malware analysis.
Stars: ✭ 567 (+2000%)
Mutual labels:  malware-analysis, fireeye-flare
basil
Fast and flexible language exploring partial evaluation, context-sensitive parsing, and metaprogramming. Compiles JIT or AOT to native code.
Stars: ✭ 93 (+244.44%)
Mutual labels:  jit, jit-compiler
Malware-Machine-Learning
Malware Machine Learning
Stars: ✭ 26 (-3.7%)
Mutual labels:  malware-analysis
use-table-tools
React Hooks for building kickass react table components
Stars: ✭ 18 (-33.33%)
Mutual labels:  hooks
react-smart-app
Preconfiguration React + Ant Design + State Management
Stars: ✭ 13 (-51.85%)
Mutual labels:  hooks
react-europe-2019
Slides and demo app from my keynote
Stars: ✭ 29 (+7.41%)
Mutual labels:  hooks
maz
Malware Analysis Zoo
Stars: ✭ 25 (-7.41%)
Mutual labels:  malware-analysis
crook
Simple hook management tool made with PHP
Stars: ✭ 60 (+122.22%)
Mutual labels:  hooks
View All Similar Projects ➔

What is this?

JITM is an automated tool to bypass the JIT Hooking protection on a .NET sample. JIT Hooking is the technique where the sample hooks the compileMethod() function. With the hook in place, the sample can easily replace the MSIL with a decrypted/deobfuscated version at run time. This makes static analysis almost impossible.

One possible solution is to install our own hook before loading the sample. We can have a chance to save/recover the real MSIL and save the content to a file. We can then rebuild the .NET executable by adding a brand new section containing the dumped methods and fix all methods in the MethodDef tables of the .NET #~ stream. The end result is still not runable without further intervention; however, it should be good enough to perform advanced static analysis.

How do I use this?

  • Make sure your sample is runable. If not, you may have to modify the tool
  • Run jitm sample.exe [optional_timeout_in_miliseconds]. jitm will first loads jitmhook.dll and calls HookNative() export to install a native hook. jitm then loads and run the sample entry point and wait for the timeout to expire before exiting. This should produces a jitm.log and jitm.json
  • Run the fix_assembly.py script: py -2 fix_assembly.py -f sample.exe -o output.exe -j jitm.json.
  • Use de4dot and dnSpy to statically analyze output.exe. However, to use a debugger, load and debug sample.exe instead.

Known issues

  • jitmhook saves both the MSIL and the method body header as tested on a variant of MassLogger. Future variants may change this behavior
  • Current python scripts only run on Python 2.7

How to build

Build and install PolyHook_2_0

Recommendation: use vcpkg method, and build statically to have all dependencies included in one DLL

git clone https://github.com/Microsoft/vcpkg.git
cd vcpkg
.\bootstrap-vcpkg.bat -disableMetrics
(as admin) .\vcpkg integrate install
vcpkg install polyhook2:x64-windows-static polyhook2:x86-windows-static

Build JITM

Open the sln file using Visual Studio 2017 or Visual Studio 2019 and build using the GUI.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].