Frida-Jit-unPacker: Unmasking Malicious .NET Code

Frida-Jit-unPacker

The Frida-Jit-unPacker aims to help researchers and analysts understand the behavior of malicious .NET packed samples in order to provide a mitigation. This tool uses the Frida instrumentation toolkit to inject scripts into the CLR and manipulate the behavior of the .NET executable to retrieve the original code. More precisely, this tool intercepts the communication between the CLR components in order to retrieve the original IL code of a packed assembly.

Principle

The unpacker uses Frida to place hooks to intercept the same components of the CLR (Method compilation, Token resolution, …) but at a lower level than the packer. Moreover, it uses a stealthy approach by placing hooks not at the start or end of functions for example, but uses a smart hooking strategy to evade potential detection by the packer.

Requirements

The software runs in Windows > 10 environments with x86_64 architecture. It is designed to process 64-bit samples. In case you have a 32-bit sample, you should try to run it as a 64-bit application (.NET directory -> Flags -> 32-bit required unchecked and File Header -> Characteristics -> 32-bit word machine checked if needed).

Installation

  • Download the archive release_X.X_x64.zip from the release section and extract it anywhere in your environment.
  • Make sure the machine has Microsoft symbols set in the symbol path (via for example):
    set _NT_SYMBOL_PATH=symsrv*symsrv.dll*C:\symbols*http://msdl.microsoft.com/download/symbols

Usage

  • Create a directory called executables and add your sample and its dependencies to it.
  • Run the following command from the release folder:
    > dist/x64/fjp.exe [OPTIONS] -f <input_file_path> -o <output_file_path>

Tutorial