Assembly Manipulation and C# / VB.NET Code Injection
Latest Releases
You can always get the
latest Reflexil
releases here.
Introduction
Reflector and JustDecompile are
great tools for doing an in-depth examination of various types of assemblies and
also for disassembling IL code towards a supported .NET language. However, they
are unable to modify either the structure or the IL code of assemblies. Reflexil allows such
modifications by using the powerful Mono.Cecil library
written by Jb
EVAIN. Reflexil
runs as a plug-in and is directed
especially towards IL code handling. It accomplishes this by proposing a
complete instruction editor and by allowing C#/VB.NET code injection, as we will
see in the following two examples.
Demo Application
Let‘s use a very simple application that is able to add two numbers:
using System; using System.Windows.Forms; namespace ReflexilDemo { public partial class DemoForm : Form { public DemoForm() { InitializeComponent(); } private void ComputeAndDisplay(decimal x, decimal y) { MessageBox.Show(String.Format("{0}+{1}={2}", x, y, x + y)); } private void DisplayResultButton_Click(object sender, EventArgs e) { ComputeAndDisplay(LeftOperand.Value, RightOperand.Value); } } }
Using Instruction Editor
Using the instruction editor, let‘s update
the ComputeAndDisplay
method body by calling the
overloaded methodMessageBox.Show
, which takes a title as a second
parameter for the modal window displaying the result. In order to do so, we have
to initially put a string
parameter on the stack
with ldstr
opcode:
Then we have to update the "call" instruction to use the overloaded
method MessageBox.Show
, which uses the previously created
parameter:
It is time to save our work and to test our patched assembly:
Our assembly is now using the overloaded method and the suitable parameter:
Instruction Editor Features
The instruction editor supports all opcodes defined
in Mono.Cecil
. The following operands are supported:
- Primitive types: byte, sbyte, int32, int64, single, double
- String
- Instruction reference
- Multiple instructions references (switch)
- Parameter or variable reference
- Internal generic type reference
- Type, field or method reference using a browser for selecting the suitable element. This browser is like the reflector‘s one (lazy loading, icons, etc.)
In a quite comprehensible way,
the Reflector
and Reflexil
object
models are not synchronous: updates made on the IL code will not impact the
disassemble window
of Reflector
. Reflexil
and Mono.Cecil
do
not perform any checks of the emitted code. The only constraint is about
coherence between the operand type used for a given opcode. For those who find
IL manipulation difficult, the following example shows how to update a method
body with C# or VB.NET.
Using C#/VB.NET Code Injection
You can choose your preferred injection language and input/display bases (binary, octal, decimal, and hexadecimal) with the configuration form:
Let‘s use the "Replace all with code" feature on the body of
the ComputeAndDisplay
method:
A compile window enables us to view the resulting IL code. A basic support for intellisense/insight is provided:
We can do it again with VB.NET language. Note that in this simple case, we obtain an identical IL code (it is not always the case):
Let‘s save and test our patched assembly:
C#/VB.NET Code Injection Features
The code is compiled using System.CodeDom
in a
separate AppDomain
for a correct resource release. Once
compiled, instructions are extracted and then reinserted in the original method
body. Parameters, variables, methods, fields and types references are adjusted
to match the original assembly. Code injection is limited: it is not possible to
refer either to the fields or to the methods defined in ancestral types of the
owner type of the original method. You can choose the target framework used by
the compilation process.
Method Attributes Editor
You can easily update a method signature or change his visibility scope. You are also able to change the return type:
Method parameters (and variables) are also editable. Reflexil can load symbols (MDB and PDB files are supported) to display original variable names:
Exception Handlers
Reflexil
allows to add/update/delete exception handlers
associated with a method body. The following types are supported:
Catch
Filter
(the VB.NETWhere
clause inTry
/Catch
blocks)Finally
Fault
Type Attributes Editor
Like methods, you can change any type visibility scope. So you can expose a
previously private
type to the world:
Member manipulation
Reflexil
is able to rename, delete or inject class,
interface, struct, enum, event, field, method, constructor, property or assembly
reference.
Smart injection : injecting a new property will generate a field, getter/setter methods and IL code.
Resources Editor
You can inject and alter embedded resources, linked resources and assembly linked resources. A complete hex editor is provided to update, export or import files.
Custom attributes Editor
Custom attributes are fully supported.
Assembly and Assembly Reference Editor
With the assembly editor, you can use a different entry point:
You can also update all information regarding identification: version, public key, name and culture. Note that you can also alter any referenced assembly so you can use a different version:
Module Editor
With the module editor, you can simply change the kind of your application (transform an executable assembly to a DLL library for instance):
Signed Assemblies Support
When saving a signed assembly, the resulting assembly is placed in the "delay
signed" state. Reflexil
can use SDK tools to fix it.
Reflexil
is able to remove assembly strong name and update
referencing assemblies. You can also do it by yourself with the assembly editor:
remove the public key and set the HasPublicKey
flag
to false
.
Deobfuscation Support
Reflexil
is able to remove obfuscated code thanks
to de4dot
.
Babel NET, CliSecure, CodeFort, CodeVeil, CodeWall, CryptoObfuscator, DeepSea, Dotfuscator, dotNET Reactor, Eazfuscator NET, Goliath NET, ILProtector, MaxtoCode, MPRESS, Rummage, Skater NET, SmartAssembly, Spices Net and Xenocode are supported.
Assembly Verifier
With the assembly verifier (using peverify.exe from .NET SDK), you can determine whether the IL code and associated metadata meet type safety requirements.
Conclusion
Reflexil
is completely based
on Mono.Cecil
. The interesting thing is
that Mono.Cecil
can load assemblies without the help of
the runtime, so there is no resource release constraint
and AppDomain
isolation for example. There is no relation
between System.Type
and Mono.Cecil.TypeDefinition
,
whereas they both materialize the .NET type concept. If we want to
programmatically reproduce our first example (Show
overload),
we can write it very easily, thanks to Mono.Cecil
.
Change Log
//////////////////////////////////////////////////////////////////////////////// // v1.6 - 17/01/2013 /////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////// news: - Optional ILMerged version to prevent unexpected Mono.Cecil assemblies. upgrades: - de4dot 1.9.0 update. New deobfuscation support for CodeFort, CodeWall, ILProtector, MPRESS, Rummage. - Mono.Cecil 0.9.5.4 update. - ARM, WindowsRuntime and Module characteristics support. bugfixes: - Check customized Mono.Cecil assembly //////////////////////////////////////////////////////////////////////////////// // v1.5 - 16/04/2012 /////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////// news: - deobfuscation support for Babel NET, CliSecure, CodeVeil, CryptoObfuscator DeepSea, Dotfuscator, dotNET Reactor, Eazfuscator NET, Goliath NET, MaxtoCode, Skater NET, SmartAssembly, Spices Net and Xenocode. Thanks to de4dot by 0xd4d! upgrades: - Mono.Cecil update. bugfixes: - bugfix for "register for verification skipping" and delay signed assembly. - bugfix for "resign" and delay signed assembly. //////////////////////////////////////////////////////////////////////////////// // v1.4 - 27/01/2012 /////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////// news: - custom attributes support. - assembly/module renaming. upgrades: - search the type tree with a regex like ^SerializableAttribute$. bugfixes: - fixed drag&drop issues with column headers. - fixed broken ExceptionHandler editor after Mono.Cecil 0.9.x migration. - fixed broken Variable editor after Mono.Cecil 0.9.x migration. - fixed assembly resolution issues, thanks to Douglas Drinka. //////////////////////////////////////////////////////////////////////////////// // v1.3 - 24/08/2011 /////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////// news: - resource support (injection and alteration): Embedded resources, linked resources and assembly linked resources. Complete hex editor to update, export or import files. upgrades: - works both on Reflector 6.x and Reflector 7.x. bugfixes: - fixed assembly loading errors when using symbols and pdb file is not available. //////////////////////////////////////////////////////////////////////////////// // v1.2 - 07/03/2011 /////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////// news: - Reflexil is now MIT/X11 licensed - technical update: using customized Mono.Cecil/Light 0.9.x - technical update: using customized ICSharpCode.SharpDevelop.Dom.dll - technical update: using customized ICSharpCode.TextEditor.dll - technical update: using customized ICSharpCode.NRefactory.dll upgrades: - moved "Kind" and "Target Runtime" from Assembly to Module handler - better support for pdb and mdb files and strong name assemblies - complete support for PE32+ assemblies - less memory consumption - lazy loading of every metadata element - speed and optimizations - you can enable/disable cache settings for intellisense - injection/compilation with version control: v2.0, v3.5, v4.0 - new injection import process - added architecture support (I386, AMD64, IA64) in module definition - new attributes grouping bugfixes: - fixed PointerType/ArrayType/ReferenceType Cecil/Reflector code matching (No data shown for methods with "ref" array parameters) - fixed crashes when attempting to replace all with code (Could not find a part of the path) - fixed type import when updating field, method, property or event - fixed extra random assembly reference when injecting/compiling //////////////////////////////////////////////////////////////////////////////// // v1.1 - 28/04/2010 /////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////// news: - rename, delete or inject class/interface/struct/enum/event/field/method/ constructor/property/assembly reference - smart injection : injecting a new property will generate a field, getter/setter methods and IL code. - open architecture: Reflexil is now able to be used with Reflector, Cecil.Studio or anything able to convert an object model to Mono.Cecil - property editor (attributes, type, constant) - field editor (attributes, type, constant) - event editor (attributes, type) - assembly verifier (using peverify.exe from .NET SDK) upgrades: - interfaces and base type selection for type editor - Reflector/Mono.Cecil method matching bugfixes: - fixed framework version detection for Mono, initial patch by Robin Herbots - fixed constant handling with parameters - fixed InitLocals initialization for method bodies - fixed branch to self causes stack overflow, patch by Brien Sourceforge - fixed crash with unsupported assemblies - fixed grid refresh for method overrides - fixed offset compute after code injection - fixed code injection/type matching with nested types - fixed const handling with parameters, fields and properties //////////////////////////////////////////////////////////////////////////////// // v1.0 - 23/10/2009 /////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////// news: - proper configuration for code injection with .NET 3.5 compiled files - using up to date Mono.Cecil.Pdb (now fully managed) bugfixes: - fixed ArgumentOutOfRange with some compile errors (replace all with code) - fixed error CS0006: Metadata file ‘...‘ could not be found //////////////////////////////////////////////////////////////////////////////// // v0.9.1 - 30/04/2009 ///////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////// news: - check if .NET Framework v3.5 is installed bugfixes: - some debug code was left, causing errors to users without "c:" drive. misc: - source code cleanup //////////////////////////////////////////////////////////////////////////////// // v0.9 - 28/01/2009 /////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////// news: - instruction offset column - code editor intellisense - region folding - insight window bugfixes: - assembly browser was only listening to mouse events - fix combobox rendering errors without visual themes misc: - source code cleanup //////////////////////////////////////////////////////////////////////////////// // v0.8 - 25/05/2008 /////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////// news: - assembly reference editor (name, version, public key, token, hash) - assembly name editor (entry point, assembly kind, framework version, name, version, public key, token) upgrades: - ‘unsafe‘ code generation support - reflector item handler bugfixes: - field reference fix after code injection - forms tabindexes //////////////////////////////////////////////////////////////////////////////// // v0.7 - 17/01/2008 /////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////// news: - type attributes editor (sealed, semantic, layout, string format, visibility, ...) - strong name remover upgrades: - sn.exe registry keys with framework 3.5 - C# / VB.NET code generator bugfixes: - static field code generation - VB.NET ‘Single‘ type alias code generation - C# / VB.NET keywords used as field/method/parameter names - main window flicker fix //////////////////////////////////////////////////////////////////////////////// // v0.6 - 30/10/2007 /////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////// news: - symbol loading support (pdb and mdb) - method attributes editor (member access, vtable layout, code type, managment, calling convention, return type) -> so you can change a method visibility - parameter editor -> so you can change a method signature - variable editor upgrades: - multiple selection support in grids - method RVA tooltip in grids - assembly / method definition cache system bugfixes: - namespaces with type browser - pointer type matching - method matching - generic type matching - remoting timeout with compilation window - Mono.Cecil import context update - VB.NET arrays - unsafe C# compilation setting - prevent "insert after/insert before" when a list is empty //////////////////////////////////////////////////////////////////////////////// // v0.5 - 14/09/2007 /////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////// news: - VB.NET code injection - binary, octal, hexadecimal, decimal base support. - configuration form upgrades: - code injection is no more ‘context-free‘: type, fields and methods can be referenced, and are automaticaly mapped to original items. - scroll positions are now saved when creating/updating/deleting instructions or exception handlers bugfixes: - injection code works even if the library is not in the same folder than Reflector. - sn.exe (strong name utility) is correctly located even if PATH variable contains quotes. //////////////////////////////////////////////////////////////////////////////// // v0.4 - 29/08/2007 /////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////// news: - exception handlers support. - exception handler drag&drop. - signed assembly support. upgrades: - Reflector bug report is sent to reflexil mailbox. bugfixes: - using non CLI images with Reflector. //////////////////////////////////////////////////////////////////////////////// // v0.3 - 20/07/2007 /////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////// news: - instruction drag&drop. - delete all instructions. - C# code injection (preliminary support). upgrades: - opcodes autocomplete. //////////////////////////////////////////////////////////////////////////////// // v0.2 - 08/07/2007 /////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////// news: - editors: type, method or field references. upgrades: - instruction edit form with opcodes descriptions (and grid tooltips). //////////////////////////////////////////////////////////////////////////////// // v0.1 - 02/07/2007 /////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////
from:http://www.codeproject.com/Articles/20565/Assembly-Manipulation-and-C-VB-NET-Code-Injection
郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。