JITM is an automated tool to bypass the JIT Hooking protection on a .NET sample.
JITM is an automated tool to bypass the JIT Hooking protection on a .NET sample. JIT Hooking is the technique where the sample hooks the compileMethod()
function. With the hook in place, the sample can easily replace the MSIL with a decrypted/deobfuscated version at run time. This makes static analysis almost impossible.
One possible solution is to install our own hook before loading the sample. We can have a chance to save/recover the real MSIL and save the content to a file. We can then rebuild the .NET executable by adding a brand new section containing the dumped methods and fix all methods in the MethodDef tables of the .NET #~
stream. The end result is still not runable without further intervention; however, it should be good enough to perform advanced static analysis.
jitm sample.exe [optional_timeout_in_miliseconds]
. jitm
will first loads jitmhook.dll
and calls HookNative()
export to install a native hook. jitm
then loads and run the sample entry point and wait for the timeout to expire before exiting. This should produces a jitm.log
and jitm.json
fix_assembly.py
script: py -2 fix_assembly.py -f sample.exe -o output.exe -j jitm.json
.output.exe
. However, to use a debugger, load and debug sample.exe
instead.jitmhook
saves both the MSIL and the method body header as tested on a variant of MassLogger. Future variants may change this behaviorPolyHook_2_0
Recommendation: use vcpkg
method, and build statically to have all dependencies included in one DLL
git clone https://github.com/Microsoft/vcpkg.git
cd vcpkg
.\bootstrap-vcpkg.bat -disableMetrics
(as admin) .\vcpkg integrate install
vcpkg install polyhook2:x64-windows-static polyhook2:x86-windows-static
Open the sln
file using Visual Studio 2017
or Visual Studio 2019
and build using the GUI.