G
Guest
Hi,
I am writing some kind of an encryptor for.NET assemblies, This require me:
A. To encrypt the IL code ( done successfully )
B. To enable transparent means of decrypting the IL code on run-time in a
way that the encrypted DLL will stay independent.
Concerning the latter issue, to achieve custom functionality upon EXE
startup I am trying to inject a DLL to an existing PE image, this is done by
adding an additional DLL import dependency to the existing PE ( e.g. editing
the already existing PE sections ), to achieve what was just described I am
reconstructing the IMPORT, IAT and RELOC tables: adding custom DLL import
dependency ( in addition to mscoree.dll )… BUT it doesn’t seem to work, the
loader produce STATUS_INVALID_IMAGE_FORMAT (0xC000007B) error, when
reconstructing the tables only with a dependency for ‘mscoree.dll‘ everything
works fine, at the minute I add an additional DLL, the loader fails… doing
some research I have stumbled upon peverify.exe of the sscli, assuming the
loader do the same verification done by ‘peverifier.exe’ I have tried the
following things:
I have used peverify.exe on my injected EXE ( with a debugger attached ) I
got the same results: ‘[IL]: Error: Unverifiable PE Header/native stub.’,
when breaking with the debugger I get to the following line:
Peverifier.cpp:
// There should be only one entry in this table.
if (IMAGE_IMPORT_DESC_FIELD(pID[1], Characteristics) != 0)
{
Log("IMAGE_IMPORT_DESCRIPTOR[1] should be NULL\n");
return FALSE;
}
Peverifier.exe ‘verifies’ that there is no more then one file dependency,
SOoo… adding an additional import dependency causes it to report error
preventing addition of functionality this way… there are some other ‘strange’
verifications such as:
// Check if mscoree.dll is the import dll name.
static const CHAR s_szDllName[] = "mscoree.dll";
…
if (CompareStringAtRVA(VAL32(pID[0].Name),
(CHAR*)s_szDllName,
LENGTH_OF_DLL_NAME) == FALSE)
{
…
}
The imported DLL can be no other then ‘mscoree.dll’…
And there is much more… code segment is mixed with the AIT table: share a
common address in the PE that is being used for execution as-well as for
relocation… and there is even more…
Anyhow I am really desperate, I need my encrypted EXE to be independent and
this require me to add some unmanaged functionality to the existing managed
PE… any advice remark or some insight on the process I have described would
be appreciated…
Thanks in advance,
Nadav,
http://www.ddevel.com
I am writing some kind of an encryptor for.NET assemblies, This require me:
A. To encrypt the IL code ( done successfully )
B. To enable transparent means of decrypting the IL code on run-time in a
way that the encrypted DLL will stay independent.
Concerning the latter issue, to achieve custom functionality upon EXE
startup I am trying to inject a DLL to an existing PE image, this is done by
adding an additional DLL import dependency to the existing PE ( e.g. editing
the already existing PE sections ), to achieve what was just described I am
reconstructing the IMPORT, IAT and RELOC tables: adding custom DLL import
dependency ( in addition to mscoree.dll )… BUT it doesn’t seem to work, the
loader produce STATUS_INVALID_IMAGE_FORMAT (0xC000007B) error, when
reconstructing the tables only with a dependency for ‘mscoree.dll‘ everything
works fine, at the minute I add an additional DLL, the loader fails… doing
some research I have stumbled upon peverify.exe of the sscli, assuming the
loader do the same verification done by ‘peverifier.exe’ I have tried the
following things:
I have used peverify.exe on my injected EXE ( with a debugger attached ) I
got the same results: ‘[IL]: Error: Unverifiable PE Header/native stub.’,
when breaking with the debugger I get to the following line:
Peverifier.cpp:
// There should be only one entry in this table.
if (IMAGE_IMPORT_DESC_FIELD(pID[1], Characteristics) != 0)
{
Log("IMAGE_IMPORT_DESCRIPTOR[1] should be NULL\n");
return FALSE;
}
Peverifier.exe ‘verifies’ that there is no more then one file dependency,
SOoo… adding an additional import dependency causes it to report error
preventing addition of functionality this way… there are some other ‘strange’
verifications such as:
// Check if mscoree.dll is the import dll name.
static const CHAR s_szDllName[] = "mscoree.dll";
…
if (CompareStringAtRVA(VAL32(pID[0].Name),
(CHAR*)s_szDllName,
LENGTH_OF_DLL_NAME) == FALSE)
{
…
}
The imported DLL can be no other then ‘mscoree.dll’…
And there is much more… code segment is mixed with the AIT table: share a
common address in the PE that is being used for execution as-well as for
relocation… and there is even more…
Anyhow I am really desperate, I need my encrypted EXE to be independent and
this require me to add some unmanaged functionality to the existing managed
PE… any advice remark or some insight on the process I have described would
be appreciated…
Thanks in advance,
Nadav,
http://www.ddevel.com
