Skip to content
This repository has been archived by the owner on Sep 16, 2021. It is now read-only.
/ jitm Public archive

JITM is an automated tool to bypass the JIT Hooking protection on a .NET sample.

License

Apache-2.0 license
48 stars 28 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

mandiant/jitm

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits

Release/x86

Release/x86

 
 

Scripts

Scripts

 
 

jitm

jitm

 
 

jitmhook

jitmhook

 
 

.gitignore

.gitignore

 
 

LICENSE.txt

LICENSE.txt

 
 

README.md

README.md

 
 

jitm.sln

jitm.sln

 
 

Repository files navigation

What is this?

JITM is an automated tool to bypass the JIT Hooking protection on a .NET sample. JIT Hooking is the technique where the sample hooks the compileMethod() function. With the hook in place, the sample can easily replace the MSIL with a decrypted/deobfuscated version at run time. This makes static analysis almost impossible.

One possible solution is to install our own hook before loading the sample. We can have a chance to save/recover the real MSIL and save the content to a file. We can then rebuild the .NET executable by adding a brand new section containing the dumped methods and fix all methods in the MethodDef tables of the .NET #~ stream. The end result is still not runable without further intervention; however, it should be good enough to perform advanced static analysis.

How do I use this?

  • Make sure your sample is runable. If not, you may have to modify the tool
  • Run jitm sample.exe [optional_timeout_in_miliseconds]. jitm will first loads jitmhook.dll and calls HookNative() export to install a native hook. jitm then loads and run the sample entry point and wait for the timeout to expire before exiting. This should produces a jitm.log and jitm.json
  • Run the fix_assembly.py script: py -2 fix_assembly.py -f sample.exe -o output.exe -j jitm.json.
  • Use de4dot and dnSpy to statically analyze output.exe. However, to use a debugger, load and debug sample.exe instead.

Known issues

  • jitmhook saves both the MSIL and the method body header as tested on a variant of MassLogger. Future variants may change this behavior
  • Current python scripts only run on Python 2.7

How to build

Build and install PolyHook_2_0

Recommendation: use vcpkg method, and build statically to have all dependencies included in one DLL

git clone https://github.com/Microsoft/vcpkg.git
cd vcpkg
.\bootstrap-vcpkg.bat -disableMetrics
(as admin) .\vcpkg integrate install
vcpkg install polyhook2:x64-windows-static polyhook2:x86-windows-static

Build JITM

Open the sln file using Visual Studio 2017 or Visual Studio 2019 and build using the GUI.

About

JITM is an automated tool to bypass the JIT Hooking protection on a .NET sample.

Topics

hooks dotnet jit malware-analysis jit-compiler fireeye-flare

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

48 stars

Watchers

5 watching

Forks

28 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages