From 8b88d487fd6b84e14b5b72cf54b44c0f99b2ea96 Mon Sep 17 00:00:00 2001 From: Yohann Sillam Date: Mon, 15 Apr 2024 09:24:46 +0300 Subject: [PATCH] documentation update --- docs/02_description.markdown | 7 ++++++- docs/04_disclaimer.markdown | 4 ++-- docs/_site/about/index.html | 5 ++--- docs/_site/contribution/index.html | 2 +- docs/_site/description/index.html | 7 ++++++- docs/_site/disclaimer/index.html | 3 +-- docs/_site/feed.xml | 2 +- 7 files changed, 19 insertions(+), 11 deletions(-) diff --git a/docs/02_description.markdown b/docs/02_description.markdown index c99958e..266586f 100644 --- a/docs/02_description.markdown +++ b/docs/02_description.markdown @@ -13,6 +13,7 @@ redirect_from: The Frida-Jit-unPacker aims at helping researchers and analysts understand the behavior of malicious .NET packed samples in order to provide a mitigation. This tool uses the [Frida instrumentation toolkit](https://frida.re/) to inject scripts into [the CLR](https://en.wikipedia.org/wiki/Common_Language_Runtime) and manipulate the behavior of the .NET executable to retrieve the original code. More precisely, this tool intercepts the communication between the CLR components in order retrieve the original IL code of a packed assembly. +To stay under the radar, the tool doesn't use the prepareMethod function. Therefore, only methods that compiled during execution will be recovered. If you liked this software, please, add a GitHub star ⭐️, thank you ! @@ -23,4 +24,8 @@ We assume here that the packer saves encrypted the orginal IL code of the applic The unpacker runs the sample and uses Frida to place hooks and intercept the components of the CLR (Method compilation, Token resolution, ...), at a lower level than the packer. Moreover, it uses a stealthy approach by placing hooks not at the start or end of functions for example, but uses a smart hooking strategy to evade potential detection by the packer. # Smart Hooking Strategy -The program uses Frida to disassemble CLR functions and place hooks as far as possible from packer monitoring points (start address of the function for example) while still collecting their input. \ No newline at end of file +The program uses Frida to disassemble CLR functions and place hooks as far as possible from packer monitoring points (start address of the function for example) while still collecting their input. + +# Acknowledgement +We gratefully acknowledge the contributions of the teams responsible for the development of dnSpy, CFF Explorer, JITM, JitHook, Frida, pefile and dotnetfile. These tools / projects have been very helpful to our work. + diff --git a/docs/04_disclaimer.markdown b/docs/04_disclaimer.markdown index fd99c35..8b9221b 100644 --- a/docs/04_disclaimer.markdown +++ b/docs/04_disclaimer.markdown @@ -9,8 +9,8 @@ order: 4 ## Disclaimer: 1. This tool should be used solely for legal and ethical purposes. 2. Malware protection and unpacking is a cat and mouse game. Imperva is not responsible in case the unpacking process failed. -3. It's obviously recommended to run any analysis in a dedicated VM for malware analysis. Imperva is not responsible for any consequence of the usage of the tool. + ## Warning 1. Frida is often flagged wrongly by anti-viruses. -2. It's obviously recommended to run any analysis in a dedicated VM for malware analysis. \ No newline at end of file +2. It's obviously recommended to run any analysis in a dedicated VM for malware analysis. Imperva is not responsible for any consequence of the usage of the tool. \ No newline at end of file diff --git a/docs/_site/about/index.html b/docs/_site/about/index.html index 7ce50c1..2bddb92 100644 --- a/docs/_site/about/index.html +++ b/docs/_site/about/index.html @@ -47,9 +47,8 @@

About

You can find more about Imperva :

-

Imperva

- -

Imperva-Github

+

Imperva +Imperva-Github

diff --git a/docs/_site/contribution/index.html b/docs/_site/contribution/index.html index 257a669..5779e46 100644 --- a/docs/_site/contribution/index.html +++ b/docs/_site/contribution/index.html @@ -53,7 +53,7 @@

Feature requests:

If you have ideas for new features or improvements, please use GitHub Discussions to share them with the community. This allows us to collaborate on the idea and assess its feasibility.

Documentation:

-

If you see an area that needs improvement or have suggestions for new content, please let us know or contribute directly by editing the documentation.

+

If you see an area that needs improvement or have suggestions for new content, please let us know.

diff --git a/docs/_site/description/index.html b/docs/_site/description/index.html index e32408d..af3add9 100644 --- a/docs/_site/description/index.html +++ b/docs/_site/description/index.html @@ -48,7 +48,8 @@

Frida-Jit-unPacker

General Description

The Frida-Jit-unPacker aims at helping researchers and analysts understand the behavior of malicious .NET packed samples in order to provide a mitigation. This tool uses the Frida instrumentation toolkit to inject scripts into the CLR and manipulate the behavior of the .NET executable to retrieve the original code. -More precisely, this tool intercepts the communication between the CLR components in order retrieve the original IL code of a packed assembly.

+More precisely, this tool intercepts the communication between the CLR components in order retrieve the original IL code of a packed assembly. +To stay under the radar, the tool doesn’t use the prepareMethod function. Therefore, only methods that compiled during execution will be recovered.

If you liked this software, please, add a GitHub star ⭐️, thank you !

@@ -61,6 +62,10 @@

Principle

Smart Hooking Strategy

The program uses Frida to disassemble CLR functions and place hooks as far as possible from packer monitoring points (start address of the function for example) while still collecting their input.

+

Acknowledgement

+

We gratefully acknowledge the contributions of the teams responsible for the development of dnSpy, CFF Explorer, JITM, JitHook, Frida, pefile and dotnetfile. These tools / projects have been very helpful to our work.

+ + diff --git a/docs/_site/disclaimer/index.html b/docs/_site/disclaimer/index.html index 03fbf52..1421033 100644 --- a/docs/_site/disclaimer/index.html +++ b/docs/_site/disclaimer/index.html @@ -47,13 +47,12 @@

Disclaimer:

  1. This tool should be used solely for legal and ethical purposes.
  2. Malware protection and unpacking is a cat and mouse game. Imperva is not responsible in case the unpacking process failed.
    3. -
  3. It’s obviously recommended to run any analysis in a dedicated VM for malware analysis. Imperva is not responsible for any consequence of the usage of the tool.

Warning

  1. Frida is often flagged wrongly by anti-viruses.
    2. -
  2. It’s obviously recommended to run any analysis in a dedicated VM for malware analysis.
    3. +
  3. It’s obviously recommended to run any analysis in a dedicated VM for malware analysis. Imperva is not responsible for any consequence of the usage of the tool.
diff --git a/docs/_site/feed.xml b/docs/_site/feed.xml index 9cbb150..885c7c6 100644 --- a/docs/_site/feed.xml +++ b/docs/_site/feed.xml @@ -1 +1 @@ -Jekyll2024-04-02T14:17:49+03:00http://localhost:4000/feed.xmlFrida-Jit-UnpackerThe Frida-Jit-unPacker aims at helping researchers and analysts understand the behavior of packed malicious .NET samples. \ No newline at end of file +Jekyll2024-04-15T09:23:27+03:00http://localhost:4000/feed.xmlFrida-Jit-UnpackerThe Frida-Jit-unPacker aims at helping researchers and analysts understand the behavior of packed malicious .NET samples. \ No newline at end of file