View Full Version : .net process loader patcher?
LaBBa
May 30th, 2011, 04:35
Hi,
i was wondering if it is possible to preform a process memory patcher for .net application to by pass the issue of signed exe/dll...
sometimes application have so much DLLs and the depandacy is too big that removing the signature could be a pain...
so what do you say, is it possible ?
Regards,
LaBBa.
Kurapica
May 30th, 2011, 05:53
It's possible.
other solutions include :
1- disabling the strong name signature on the machine using a registry hack
2- Adding the application to the exclusion list of signature checking.
I once saw a tutor where dup tool was used to create a Loader for a .Net process in
order to bypass the strong name check problem.
you can use also a tool called "Strong name helper" which can patch all dependencies
to match the new signature of the main signed Application.
LaBBa
May 30th, 2011, 06:29
[QUOTE][Originally Posted by Kurapica;90394]It's possible.
other solutions include :
this is interesting.. can you share what is that registry hack ?
and what was the tut for patching .net signed file ?
Thanks,
LaBBa
Kurapica
May 30th, 2011, 10:02
How to: Disable the Strong-Name Bypass Feature
http://msdn.microsoft.com/en-us/library/cc713694.aspx
{SA} Loader with dup
http://www.4shared.com/file/SBZudV7N/NetCrackingTutorial_Artisteer_.html
LaBBa
May 31st, 2011, 00:15
thank you !
i will try to do the registry thing first since the target i have is a Visual Studio plug-in and it's a DLL so i don't think that dUP will help me with creating a process patcher for this type of issue.
i will let you know if the registry done the trick..
LaBBa.
LaBBa
May 31st, 2011, 23:49
well the registry trick didn't work since it is only a feature of how to not do a bypass...
so i'm still working on finding a solution... maybe we could patch the .net framework itself to never support sign verification.. this will require patching every .net version so it will fit to all but maybe it is the same thing all the time..
Regards,
LaBBa
Kurapica
June 1st, 2011, 11:18
Patching the entire framework is kinda radical.
this is a code snippet by CodeRipper which disables checking for strongName signature.
you should call it from the New Process
Code:
byte[] lpBuffer = new byte[1];
int lpNumberOfBytesWritten = 0;
IntPtr procAddress = GetProcAddress(GetModuleHandle("advapi32.dll"

, "CryptVerifySignatureA"

;
if (procAddress != IntPtr.Zero)
{
byte[] buffer2 = new byte[] { 51, 192, 64, 194, 24, 0 };
WriteProcessMemory(-1, procAddress, buffer2, buffer2.Length, ref lpNumberOfBytesWritten);
}
Powered by vBulletin® Version 4.2.2 Copyright © 2020 vBulletin Solutions, Inc. All rights reserved.