From e0904b3d4c507cbcaa04d59d4c83e0016df9fd96 Mon Sep 17 00:00:00 2001 From: Yohann Sillam Date: Wed, 27 Mar 2024 09:09:03 +0200 Subject: [PATCH] Documentation website --- docs/.gitignore | 5 + docs/01_quickstart.markdown | 59 +++++++ docs/02_description.markdown | 23 +++ docs/03_contribution.markdown | 18 +++ docs/04_about.markdown | 13 ++ docs/404.html | 25 +++ docs/Gemfile | 38 +++++ docs/Gemfile.lock | 294 ++++++++++++++++++++++++++++++++++ docs/_config.yml | 64 ++++++++ docs/index.markdown | 6 + 10 files changed, 545 insertions(+) create mode 100644 docs/.gitignore create mode 100644 docs/01_quickstart.markdown create mode 100644 docs/02_description.markdown create mode 100644 docs/03_contribution.markdown create mode 100644 docs/04_about.markdown create mode 100644 docs/404.html create mode 100644 docs/Gemfile create mode 100644 docs/Gemfile.lock create mode 100644 docs/_config.yml create mode 100644 docs/index.markdown diff --git a/docs/.gitignore b/docs/.gitignore new file mode 100644 index 0000000..f40fbd8 --- /dev/null +++ b/docs/.gitignore @@ -0,0 +1,5 @@ +_site +.sass-cache +.jekyll-cache +.jekyll-metadata +vendor diff --git a/docs/01_quickstart.markdown b/docs/01_quickstart.markdown new file mode 100644 index 0000000..3233589 --- /dev/null +++ b/docs/01_quickstart.markdown @@ -0,0 +1,59 @@ +--- +layout: page +title: Quick Start +order: 1 +permalink: /quickstart/ + +--- + +## Quick Start + +# Requirements : +The software runs in Windows > 10 environment with x86_64 architecture + +# Installation +- Download the archive release_1.0_x64.zip from the release section and extract it anywhere in your environment. + +# Usage +- Create a directory called `executables` and add your sample and its dependencies to it. +- Run the following command from the release folder: +```shell +> dist/x64/fjp.exe [OPTIONS] -f -o +``` + +# Options +The list of options and the information regarding their usage can be obtained via the `--help` option : +```txt +> dist/x64/fjp.exe --help + +______ _ _ ___ _ _ ______ _ +| ___| (_) | | |_ |(_)| | | ___ \ | | +| |_ _ __ _ __| | __ _ | | _ | |_ _ _ _ __ | |_/ /__ _ ___ | | __ ___ _ __ +| _|| '__|| | / _` | / _` | | || || __| | | | || '_ \ | __// _` | / __|| |/ // _ \| '__| +| | | | | || (_| || (_| | /\__/ /| || |_ | |_| || | | || | | (_| || (__ | <| __/| | +\_| |_| |_| \__,_| \__,_| \____/ |_| \__| \__,_||_| |_|\_| \__,_| \___||_|\_\___||_| + + + +usage: fjp [-h] -f EXECUTABLE [-t TIMEOUT] [-o OUTPUT] [-r] [-sr SCANNING_RANGE] [-s COMPILE_FUNCTION] [-l] + +Tool to recover the original IL code of running methods from a packed .NET +assembly. + +optional arguments: + -h, --help show this help message and exit + -f EXECUTABLE, --file EXECUTABLE + Path of the sample + -t TIMEOUT, --timeout TIMEOUT + Execution timeout + -o OUTPUT, --output OUTPUT + Output file path + -r, --resolve_token Recover encrypted tokens + -sr SCANNING_RANGE, --scanning_range SCANNING_RANGE + Number of assembly instructions to scan to find hook address (0 + - 15). + -s COMPILE_FUNCTION, --compile_function COMPILE_FUNCTION + Either compileMethod, jitNativeCode or + compCompileHelper for now +``` + \ No newline at end of file diff --git a/docs/02_description.markdown b/docs/02_description.markdown new file mode 100644 index 0000000..e775ac6 --- /dev/null +++ b/docs/02_description.markdown @@ -0,0 +1,23 @@ +--- +layout: page +title: Description +permalink: /description/ +order: 2 +redirect_from: + - / +--- + +## Frida-Jit-unPacker + +# General Description +The Frida-Jit-unPacker aims at helping researchers and analysts understand the behavior of malicious .NET packed samples in order to provide a mitigation. +This tool uses the [Frida instrumentation toolkit](https://frida.re/) to inject scripts into [the CLR](https://en.wikipedia.org/wiki/Common_Language_Runtime) and manipulate the behavior of the .NET executable to retrieve the original code. +More precisely, this tool intercepts the communication between the CLR components in order retrieve the original IL code of a packed assembly. + +If you liked this software, please, add a GitHub star ⭐️, thank you ! + +# Assumption +We assume here that the packer saves encrypted the orginal IL code of the application and overwrites the method information in the assembly. Then, whenever compilation of a specific method occurs, the packer intercepts the relevant APIs (CompileMethod, ResolveToken ...) in order to provide the original information, just in time, and replaces the fake data. + +# Principle +The unpacker uses Frida to place hooks to intercept the same components of the CLR (Method compilation, Token resolution, ...) but at a lower level than the packer. Moreover, it uses a stealthy approach by placing hooks not at the start or end of functions for example, but uses a smart hooking strategy to evade potential detection by the packer. diff --git a/docs/03_contribution.markdown b/docs/03_contribution.markdown new file mode 100644 index 0000000..49f103d --- /dev/null +++ b/docs/03_contribution.markdown @@ -0,0 +1,18 @@ +--- +layout: page +title: Contributions +permalink: /contribution/ +order: 3 + +--- +## Contribution Guidelines +We welcome and encourage contributions to Frida-Jit-unPacker from anyone interested in improving our project. Here are some ways you can contribute: + +# Reporting bugs: +If you find a bug in the software, please check our GitHub Issues to see if it has already been reported. If not, you can open a new issue with a detailed description of the bug, steps to reproduce it, and any relevant logs or screenshots. + +# Feature requests: +If you have ideas for new features or improvements, please use GitHub Discussions to share them with the community. This allows us to collaborate on the idea and assess its feasibility. + +# Documentation: +If you see an area that needs improvement or have suggestions for new content, please let us know or contribute directly by editing the documentation. \ No newline at end of file diff --git a/docs/04_about.markdown b/docs/04_about.markdown new file mode 100644 index 0000000..aeb1f60 --- /dev/null +++ b/docs/04_about.markdown @@ -0,0 +1,13 @@ +--- +layout: page +title: About +permalink: /about/ +order: 4 +--- + +Frida-Jit-unPacker is a Freeware developed by Imperva. + +You can find more about Imperva : + +[Imperva](https://imperva.com/) +[Imperva-Github](https://github.com/imperva/) diff --git a/docs/404.html b/docs/404.html new file mode 100644 index 0000000..086a5c9 --- /dev/null +++ b/docs/404.html @@ -0,0 +1,25 @@ +--- +permalink: /404.html +layout: default +--- + + + +
+

404

+ +

Page not found :(

+

The requested page could not be found.

+
diff --git a/docs/Gemfile b/docs/Gemfile new file mode 100644 index 0000000..d3f9e32 --- /dev/null +++ b/docs/Gemfile @@ -0,0 +1,38 @@ +source "https://rubygems.org" +# Hello! This is where you manage which Jekyll version is used to run. +# When you want to use a different version, change it below, save the +# file and run `bundle install`. Run Jekyll with `bundle exec`, like so: +# +# bundle exec jekyll serve +# +# This will help ensure the proper Jekyll version is running. +# Happy Jekylling! +#gem "jekyll", "~> 4.3.3" +# This is the default theme for new Jekyll sites. You may change this to anything you like. +gem "minima", "~> 2.5" +gem 'webrick', '~> 1.7' + +# If you want to use GitHub Pages, remove the "gem "jekyll"" above and +# uncomment the line below. To upgrade, run `bundle update github-pages`. + +gem "github-pages", "~> 231", group: :jekyll_plugins +# If you have any plugins, put them here! +group :jekyll_plugins do + gem "jekyll-feed", "~> 0.12" +end + +# Windows and JRuby does not include zoneinfo files, so bundle the tzinfo-data gem +# and associated library. +platforms :mingw, :x64_mingw, :mswin, :jruby do + gem "tzinfo", ">= 1", "< 3" + gem "tzinfo-data" +end + +# Performance-booster for watching directories on Windows +gem "wdm", "~> 0.1.1", :platforms => [:mingw, :x64_mingw, :mswin] + +# Lock `http_parser.rb` gem to `v0.6.x` on JRuby builds since newer versions of the gem +# do not have a Java counterpart. +gem "http_parser.rb", "~> 0.6.0", :platforms => [:jruby] + +gem 'jekyll-redirect-from' diff --git a/docs/Gemfile.lock b/docs/Gemfile.lock new file mode 100644 index 0000000..2d02afd --- /dev/null +++ b/docs/Gemfile.lock @@ -0,0 +1,294 @@ +GEM + remote: https://rubygems.org/ + specs: + activesupport (7.1.3.2) + base64 + bigdecimal + concurrent-ruby (~> 1.0, >= 1.0.2) + connection_pool (>= 2.2.5) + drb + i18n (>= 1.6, < 2) + minitest (>= 5.1) + mutex_m + tzinfo (~> 2.0) + addressable (2.8.6) + public_suffix (>= 2.0.2, < 6.0) + base64 (0.2.0) + bigdecimal (3.1.7) + coffee-script (2.4.1) + coffee-script-source + execjs + coffee-script-source (1.12.2) + colorator (1.1.0) + commonmarker (0.23.10) + concurrent-ruby (1.2.3) + connection_pool (2.4.1) + dnsruby (1.71.0) + simpleidn (~> 0.2.1) + drb (2.2.1) + em-websocket (0.5.3) + eventmachine (>= 0.12.9) + http_parser.rb (~> 0) + ethon (0.16.0) + ffi (>= 1.15.0) + eventmachine (1.2.7) + execjs (2.9.1) + faraday (2.9.0) + faraday-net_http (>= 2.0, < 3.2) + faraday-net_http (3.1.0) + net-http + ffi (1.16.3) + forwardable-extended (2.6.0) + gemoji (4.1.0) + github-pages (231) + github-pages-health-check (= 1.18.2) + jekyll (= 3.9.5) + jekyll-avatar (= 0.8.0) + jekyll-coffeescript (= 1.2.2) + jekyll-commonmark-ghpages (= 0.4.0) + jekyll-default-layout (= 0.1.5) + jekyll-feed (= 0.17.0) + jekyll-gist (= 1.5.0) + jekyll-github-metadata (= 2.16.1) + jekyll-include-cache (= 0.2.1) + jekyll-mentions (= 1.6.0) + jekyll-optional-front-matter (= 0.3.2) + jekyll-paginate (= 1.1.0) + jekyll-readme-index (= 0.3.0) + jekyll-redirect-from (= 0.16.0) + jekyll-relative-links (= 0.6.1) + jekyll-remote-theme (= 0.4.3) + jekyll-sass-converter (= 1.5.2) + jekyll-seo-tag (= 2.8.0) + jekyll-sitemap (= 1.4.0) + jekyll-swiss (= 1.0.0) + jekyll-theme-architect (= 0.2.0) + jekyll-theme-cayman (= 0.2.0) + jekyll-theme-dinky (= 0.2.0) + jekyll-theme-hacker (= 0.2.0) + jekyll-theme-leap-day (= 0.2.0) + jekyll-theme-merlot (= 0.2.0) + jekyll-theme-midnight (= 0.2.0) + jekyll-theme-minimal (= 0.2.0) + jekyll-theme-modernist (= 0.2.0) + jekyll-theme-primer (= 0.6.0) + jekyll-theme-slate (= 0.2.0) + jekyll-theme-tactile (= 0.2.0) + jekyll-theme-time-machine (= 0.2.0) + jekyll-titles-from-headings (= 0.5.3) + jemoji (= 0.13.0) + kramdown (= 2.4.0) + kramdown-parser-gfm (= 1.1.0) + liquid (= 4.0.4) + mercenary (~> 0.3) + minima (= 2.5.1) + nokogiri (>= 1.13.6, < 2.0) + rouge (= 3.30.0) + terminal-table (~> 1.4) + github-pages-health-check (1.18.2) + addressable (~> 2.3) + dnsruby (~> 1.60) + octokit (>= 4, < 8) + public_suffix (>= 3.0, < 6.0) + typhoeus (~> 1.3) + html-pipeline (2.14.3) + activesupport (>= 2) + nokogiri (>= 1.4) + http_parser.rb (0.8.0) + i18n (1.14.4) + concurrent-ruby (~> 1.0) + jekyll (3.9.5) + addressable (~> 2.4) + colorator (~> 1.0) + em-websocket (~> 0.5) + i18n (>= 0.7, < 2) + jekyll-sass-converter (~> 1.0) + jekyll-watch (~> 2.0) + kramdown (>= 1.17, < 3) + liquid (~> 4.0) + mercenary (~> 0.3.3) + pathutil (~> 0.9) + rouge (>= 1.7, < 4) + safe_yaml (~> 1.0) + jekyll-avatar (0.8.0) + jekyll (>= 3.0, < 5.0) + jekyll-coffeescript (1.2.2) + coffee-script (~> 2.2) + coffee-script-source (~> 1.12) + jekyll-commonmark (1.4.0) + commonmarker (~> 0.22) + jekyll-commonmark-ghpages (0.4.0) + commonmarker (~> 0.23.7) + jekyll (~> 3.9.0) + jekyll-commonmark (~> 1.4.0) + rouge (>= 2.0, < 5.0) + jekyll-default-layout (0.1.5) + jekyll (>= 3.0, < 5.0) + jekyll-feed (0.17.0) + jekyll (>= 3.7, < 5.0) + jekyll-gist (1.5.0) + octokit (~> 4.2) + jekyll-github-metadata (2.16.1) + jekyll (>= 3.4, < 5.0) + octokit (>= 4, < 7, != 4.4.0) + jekyll-include-cache (0.2.1) + jekyll (>= 3.7, < 5.0) + jekyll-mentions (1.6.0) + html-pipeline (~> 2.3) + jekyll (>= 3.7, < 5.0) + jekyll-optional-front-matter (0.3.2) + jekyll (>= 3.0, < 5.0) + jekyll-paginate (1.1.0) + jekyll-readme-index (0.3.0) + jekyll (>= 3.0, < 5.0) + jekyll-redirect-from (0.16.0) + jekyll (>= 3.3, < 5.0) + jekyll-relative-links (0.6.1) + jekyll (>= 3.3, < 5.0) + jekyll-remote-theme (0.4.3) + addressable (~> 2.0) + jekyll (>= 3.5, < 5.0) + jekyll-sass-converter (>= 1.0, <= 3.0.0, != 2.0.0) + rubyzip (>= 1.3.0, < 3.0) + jekyll-sass-converter (1.5.2) + sass (~> 3.4) + jekyll-seo-tag (2.8.0) + jekyll (>= 3.8, < 5.0) + jekyll-sitemap (1.4.0) + jekyll (>= 3.7, < 5.0) + jekyll-swiss (1.0.0) + jekyll-theme-architect (0.2.0) + jekyll (> 3.5, < 5.0) + jekyll-seo-tag (~> 2.0) + jekyll-theme-cayman (0.2.0) + jekyll (> 3.5, < 5.0) + jekyll-seo-tag (~> 2.0) + jekyll-theme-dinky (0.2.0) + jekyll (> 3.5, < 5.0) + jekyll-seo-tag (~> 2.0) + jekyll-theme-hacker (0.2.0) + jekyll (> 3.5, < 5.0) + jekyll-seo-tag (~> 2.0) + jekyll-theme-leap-day (0.2.0) + jekyll (> 3.5, < 5.0) + jekyll-seo-tag (~> 2.0) + jekyll-theme-merlot (0.2.0) + jekyll (> 3.5, < 5.0) + jekyll-seo-tag (~> 2.0) + jekyll-theme-midnight (0.2.0) + jekyll (> 3.5, < 5.0) + jekyll-seo-tag (~> 2.0) + jekyll-theme-minimal (0.2.0) + jekyll (> 3.5, < 5.0) + jekyll-seo-tag (~> 2.0) + jekyll-theme-modernist (0.2.0) + jekyll (> 3.5, < 5.0) + jekyll-seo-tag (~> 2.0) + jekyll-theme-primer (0.6.0) + jekyll (> 3.5, < 5.0) + jekyll-github-metadata (~> 2.9) + jekyll-seo-tag (~> 2.0) + jekyll-theme-slate (0.2.0) + jekyll (> 3.5, < 5.0) + jekyll-seo-tag (~> 2.0) + jekyll-theme-tactile (0.2.0) + jekyll (> 3.5, < 5.0) + jekyll-seo-tag (~> 2.0) + jekyll-theme-time-machine (0.2.0) + jekyll (> 3.5, < 5.0) + jekyll-seo-tag (~> 2.0) + jekyll-titles-from-headings (0.5.3) + jekyll (>= 3.3, < 5.0) + jekyll-watch (2.2.1) + listen (~> 3.0) + jemoji (0.13.0) + gemoji (>= 3, < 5) + html-pipeline (~> 2.2) + jekyll (>= 3.0, < 5.0) + kramdown (2.4.0) + rexml + kramdown-parser-gfm (1.1.0) + kramdown (~> 2.0) + liquid (4.0.4) + listen (3.9.0) + rb-fsevent (~> 0.10, >= 0.10.3) + rb-inotify (~> 0.9, >= 0.9.10) + mercenary (0.3.6) + minima (2.5.1) + jekyll (>= 3.5, < 5.0) + jekyll-feed (~> 0.9) + jekyll-seo-tag (~> 2.1) + minitest (5.22.3) + mutex_m (0.2.0) + net-http (0.4.1) + uri + nokogiri (1.16.3-aarch64-linux) + racc (~> 1.4) + nokogiri (1.16.3-arm-linux) + racc (~> 1.4) + nokogiri (1.16.3-arm64-darwin) + racc (~> 1.4) + nokogiri (1.16.3-x86-linux) + racc (~> 1.4) + nokogiri (1.16.3-x86_64-darwin) + racc (~> 1.4) + nokogiri (1.16.3-x86_64-linux) + racc (~> 1.4) + octokit (4.25.1) + faraday (>= 1, < 3) + sawyer (~> 0.9) + pathutil (0.16.2) + forwardable-extended (~> 2.6) + public_suffix (5.0.4) + racc (1.7.3) + rb-fsevent (0.11.2) + rb-inotify (0.10.1) + ffi (~> 1.0) + rexml (3.2.6) + rouge (3.30.0) + rubyzip (2.3.2) + safe_yaml (1.0.5) + sass (3.7.4) + sass-listen (~> 4.0.0) + sass-listen (4.0.0) + rb-fsevent (~> 0.9, >= 0.9.4) + rb-inotify (~> 0.9, >= 0.9.7) + sawyer (0.9.2) + addressable (>= 2.3.5) + faraday (>= 0.17.3, < 3) + simpleidn (0.2.1) + unf (~> 0.1.4) + terminal-table (1.8.0) + unicode-display_width (~> 1.1, >= 1.1.1) + typhoeus (1.4.1) + ethon (>= 0.9.0) + tzinfo (2.0.6) + concurrent-ruby (~> 1.0) + unf (0.1.4) + unf_ext + unf_ext (0.0.9.1) + unicode-display_width (1.8.0) + uri (0.13.0) + webrick (1.8.1) + +PLATFORMS + aarch64-linux + arm-linux + arm64-darwin + x86-linux + x86_64-darwin + x86_64-linux + +DEPENDENCIES + github-pages (~> 231) + http_parser.rb (~> 0.6.0) + jekyll-feed (~> 0.12) + jekyll-redirect-from + minima (~> 2.5) + tzinfo (>= 1, < 3) + tzinfo-data + wdm (~> 0.1.1) + webrick (~> 1.7) + +BUNDLED WITH + 2.5.7 diff --git a/docs/_config.yml b/docs/_config.yml new file mode 100644 index 0000000..55f6999 --- /dev/null +++ b/docs/_config.yml @@ -0,0 +1,64 @@ +# Welcome to Jekyll! +# +# This config file is meant for settings that affect your whole blog, values +# which you are expected to set up once and rarely edit after that. If you find +# yourself editing this file very often, consider using Jekyll's data files +# feature for the data you need to update frequently. +# +# For technical reasons, this file is *NOT* reloaded automatically when you use +# 'bundle exec jekyll serve'. If you change this file, please restart the server process. +# +# If you need help with YAML syntax, here are some quick references for you: +# https://learn-the-web.algonquindesign.ca/topics/markdown-yaml-cheat-sheet/#yaml +# https://learnxinyminutes.com/docs/yaml/ +# +# Site settings +# These are used to personalize your new site. If you look in the HTML files, +# you will see them accessed via {{ site.title }}, {{ site.email }}, and so on. +# You can create any custom variable you would like, and they will be accessible +# in the templates via {{ site.myvariable }}. + +title: Frida-Jit-Unpacker +email: yohann.sillam@imperva.com +description: >- # this means to ignore newlines until "baseurl:" + The Frida-Jit-unPacker aims at helping researchers and analysts understand the behavior of packed malicious .NET samples. +baseurl: "" # the subpath of your site, e.g. /blog +url: "" # the base hostname & protocol for your site, e.g. http://example.com +linkedin_username: imperva +github_username: imperva + +plugins: + - jekyll-redirect-from + +# Build settings +theme: minima + + +# Exclude from processing. +# The following items will not be processed, by default. +# Any item listed under the `exclude:` key here will be automatically added to +# the internal "default list". +# +# Excluded items can be processed by explicitly listing the directories or +# their entries' file path in the `include:` list. +# +# exclude: +# - .sass-cache/ +# - .jekyll-cache/ +# - gemfiles/ +# - Gemfile +# - Gemfile.lock +# - node_modules/ +# - vendor/bundle/ +# - vendor/cache/ +# - vendor/gems/ +# - vendor/ruby/ +menu: + - title: "Quick Start" + url: "/quickstart/" + - title: "About" + url: "/about/" + - title: "Contributions" + url: "/contributions/" + - title: "Description" + url: "/description/" diff --git a/docs/index.markdown b/docs/index.markdown new file mode 100644 index 0000000..0671507 --- /dev/null +++ b/docs/index.markdown @@ -0,0 +1,6 @@ +--- +# Feel free to add content and custom Front Matter to this file. +# To modify the layout, see https://jekyllrb.com/docs/themes/#overriding-theme-defaults + +layout: home +---