Jump to content
yck1509

Jitdumper3

Recommended Posts

I tried but nothing changed :( I have visual studio 2017 is that problem? Sorry my English

Share this post


Link to post

FYI today, tried 
 
Wa7moQ.png
 
on win7x64 not even open...

 

 

Share this post


Link to post

Several code snippets I wrote in the past don't work any more on Windows7 64.

 

It's not weird since the OS changes with each new update.

Share this post


Link to post

FYI today, tried 

 

Wa7moQ.png

 

on win7x64 not even open...

 

What's your visual studio version? I think error happened because i run windows 10 64bit :/

Share this post


Link to post

jitdumper3 v4(binary) will lose all the try..catch..

v4(source) will occur exeption in:

getEHinfo((IntPtr)mti, info->ftn, i, out clause);

 

test on XP, does someone know why?

Share this post


Link to post

Not all exceptions are catch-able by try...catch
there are a few exceptions that will not be captured by a catch block :

StackOverflowException

ThreadAbortedException

OutOfMemoryException

ExecutionEngineException
BadImageFormatException

The main problem with building Jit hooker is compatibility with different .NET frameworks.
Since you are on XP I assume you have installed .NET Framework 4.0, right?
 

Share this post


Link to post

The main problem with building Jit hooker is compatibility with different .NET frameworks.

 

Yes, so I use XP as the same as yck1509.

 

Type this code(.net 4.0):

            try
            {
                MessageBox.Show("test");
                int.Parse("xyz");
            }
            catch (Exception ex)
            {
                MessageBox.Show(ex.Message);
            }

compile it, jit dump it with jitdumper3

 

v4(binary) can dump the il, but will lose the exception handlers.

v4(source) will occur exception

Share this post


Link to post
I know why v4(binary) loses exception handlers, that's because CORINFO_METHOD_INFO has changed in .net 4
 
.net 2.0:
    public unsafe struct CORINFO_METHOD_INFO
    {
        public IntPtr ftn;
        public IntPtr scope;
        public byte* ILCode;
        public uint ILCodeSize;
        public ushort maxStack;
        public ushort EHcount;
        ...............


.net 4.0
    public unsafe struct CORINFO_METHOD_INFO
    {
        public IntPtr ftn;
        public IntPtr scope;
        public byte* ILCode;
        public uint ILCodeSize;
        public uint maxStack;
        public uint EHcount;
        ...............

 

But v4(binary) use .net 2.0 CORINFO_METHOD_INFO, so its EHcount is the higher 2 bytes of maxstack, and offen equals 0

But v4(source) updated to .net 4.0 CORINFO_METHOD_INFO, and its ehcount is correct:

            if (info->EHcount != 0)
            {
                exceptionHandlers.Clear();
                getEHinfo getEHinfo = CreateTrampoline<getEHinfo>(ICorStaticInfo.ICorMethodInfo(ICorDynamicInfo.ICorStaticInfo(ICorJitInfo.ICorDynamicInfo(comp)))->vfptr->getEHinfo);
                for (uint i = 0; i < info->EHcount; i++)
                {
                    CORINFO_EH_CLAUSE clause;
                    var dyn = ICorJitInfo.ICorDynamicInfo(comp);
                    var sta = ICorDynamicInfo.ICorStaticInfo(dyn);
                    var mti = ICorStaticInfo.ICorMethodInfo(sta);
                    getEHinfo((IntPtr)mti, info->ftn, i, out clause);// occur exception

I don't know why it will occur exception in the line: getEHinfo((IntPtr)mti, info->ftn, i, out clause);

v2(source) is no problem

 

 

 

 

 

 

Edited by CreateAndInject
  • Upvote 1

Share this post


Link to post

From simple Simple_MSIL_Decryptor:
[structLayout(LayoutKind.Sequential)]
public struct CORINFO_METHOD_INFO
{
public IntPtr ftn;     // RuntimeMethodHandle
public IntPtr scope;   // ModuleHandle
public IntPtr ILCode;
public uint ILCodeSize;
public ushort maxStack;
//public ushort Unknown;  // Only on Framework 4.0
public ushort EHcount;
public uint options;
public CORINFO_SIG_INFO args;  // size 0x30
public CORINFO_SIG_INFO locals;
}

[structLayout(LayoutKind.Sequential)]
public struct CORINFO_METHOD_INFO_Fr4
{
public IntPtr ftn;     // RuntimeMethodHandle
public IntPtr scope;   // ModuleHandle
public IntPtr ILCode;
public uint ILCodeSize;
public ushort maxStack;
public ushort Unknown;  // Only on Framework 4.0
public ushort EHcount;
public uint options;
public CORINFO_SIG_INFO args;  // size 0x30
public CORINFO_SIG_INFO locals;
}

 

CORINFO_METHOD_INFO fr 2:

...

public ushort maxStack;
public   ushort   EHcount;

CORINFO_METHOD_INFO fr 4:

public uint maxStack;
public uint EHcount;

That can't be correct!!! ushort = 2 bytes uint = 4 bytes
From what I know the difference between Framework 2.0 and Framework 4.0 is of only 2 bytes (one ushort)!

Try to fix it like this:
.net 4.0
public unsafe struct CORINFO_METHOD_INFO
{
public IntPtr ftn;
public IntPtr scope;
public byte* ILCode;
public uint ILCodeSize;
public uint maxStack;
public ushort EHcount;
...............

The only difference between Framework 2.0 and Framework 4.0 is the type change of maxStack from ushort to uint

Let me know about result.
 

  • Upvote 1

Share this post


Link to post

There's no difference, because the field 'options' is ushort in jitDumper3, and Marshal.SizeOf(typeof(CORINFO_METHOD_INFO)) == 124

Even if I modify CORINFO_METHOD_INFO as the same as Simple_MSIL_Decryptor, I get the same error.

You can download the source of jitDumper3 and test it.

Share this post


Link to post

I don't know why it will occur exception in the line: getEHinfo((IntPtr)mti, info->ftn, i, out clause);

v2(source) is no problem

It is kind of wired if the exception occurs on that exact line,

the casting of (IntPtr)mti may be the problem.

 

Share this post


Link to post

You wrote this:

getEHinfo((IntPtr)mti, info->ftn, i, out clause);// occur exception

Where is exactly the exception occur? Debug and try to step into that method!
 

Share this post


Link to post

You wrote this:

Where is exactly the exception occur? Debug and try to step into that method!

 

 

getEHinfo = Marshal.GetDelegateForFunctionPointer(...);

So, I can't step into.

 

If you view the jitDumpr3 source, you don't ask me to step into it, why doesn't you download the source from #34?

Share this post


Link to post
If you view the jitDumpr3 source, you don't ask me to step into it, why doesn't you download the source from #34?

Since I got no interest, also got no interest on developing JitDumper,

Also currently I have no C# IDE nor installed and not even portable,

I don't like using Visual Studio for C# developing,

I've had SharpDevelop portable and for my needs was OK.

 

Share this post


Link to post

I get it, jitDumper3 makes a mistake in a struct, something has changed in .net 4.0, but jitDumper3(v4) use .net 2.0 struct also.

 

I find 'getEHinfo' in your DNGuard_HVM_Unpacker, how do you get this knowledge? such as ICorDynamicInfoVfTable, ICorMethodInfoVfTable, ICorMethodInfo, how do you know its difference between .net 2.0 & .net 4.0?

Edited by CreateAndInject

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...