Extending De4dot Adding or replacing deobfuscators in de4dot...
Hey, what’s up everybody?
About two months ago I came across a modified version of de4dot someone made, which required me to replace my current de4dot version in it’s entirety. I did not like this and therefore I decided to work on extension support for de4dot. Basically it allows you to add new deobfuscator modules or replace the existing (sometimes outdated) ones, in a dynamic way.
In this blogpost I will explain to you how to add a simple deobfuscator for OrangeHeap. The actual deobfuscator code is not written by me, but by TheProxy. It only serves as an example of how de4dot can be extended :)
- Clone the repository with
git clone --recursive https://github.com/0xd4d/de4dot.git;
- Copy and rename the
- In that same directory, rename
- Open the main
de4dot.slnin Visual Studio 2010 or higher and add
deobfuscator.OrangeHeap.csprojto the solution;
- Now the only thing left is to rename the output file name and namespace from
Coding the deobfuscator
In this post I won’t go too much in depth about the internal de4dot architecture, mainly because I don’t know a whole lot about it. You’d have to check the built-in deobfuscators by yourself to find out how it works. Here is a post by kao that explains extending de4dot in a more detailed manner.
The identifying class for a deobfuscator is the
DeobfuscatorInfo class. It has to provide a
Name and a
Type string field, where the
Type field must be unique. It also has a
CreateDeobfuscator method that will handle the actual deobfuscation.
Sharing the deobfuscator
Now before I go into this, I have to say that you are obligated by the license de4dot uses (GPL) to share any modifications you make to de4dot under the same (GPL) license. This includes extensions that are dynamically loaded by de4dot, although this is controversial.
Now to share the deobfuscator, for example for internal company usage or simply because you want to share prebuilt binaries of your GPL extension, simply copy the
bin/deobfuscator.OrangeHeap.dll to the de4dot
bin directory on another machine. Here is a screenshot that shows what happens before and after I added the DLL to the
bin directory (obviously without any other modifications to de4dot):
Overriding/Extending existing deobfuscators
If you want to change the behavior of an existing deobfuscator, simply make the
DeobfuscatorInfo.Type field return an already-present typename (like
co for CryptoDeobfuscator or
df for Dotfuscator). Basically you have to rip the current deobfuscator class out in a separate project (I tested this). See here for a starting point. It should be pretty straightforward.
Well, that’s all for today. Hopefully till next time!
blog comments powered by Disqus