Extending De4dot Adding or replacing deobfuscators in de4dot...
Hey, what’s up everybody?
About two months ago I came across a modified version of de4dot someone made, which required me to replace my current de4dot version in it’s entirety. I did not like this and therefore I decided to work on extension support for de4dot. Basically it allows you to add new deobfuscator modules or replace the existing (sometimes outdated) ones, in a dynamic way.
In this blogpost I will explain to you how to add a simple deobfuscator for OrangeHeap. The actual deobfuscator code is not written by me, but by TheProxy. It only serves as an example of how de4dot can be extended :)
Getting started
To get started, we need to set up our development environment. For this you need Git and Visual Studio. Follow these steps to get a development environment running:
- Clone the repository with
git clone --recursive https://github.com/0xd4d/de4dot.git; - Copy and rename the
deobfuscator.Templatedirectory todeobfuscator.OrangeHeap; - In that same directory, rename
deobfuscator.Template.csprojtodeobfuscator.OrangeHeap.csproj; - Open the main
de4dot.slnin Visual Studio 2010 or higher and adddeobfuscator.OrangeHeap.csprojto the solution; - Now the only thing left is to rename the output file name and namespace from
deobfuscator.Templatetodeobfuscator.OrangeHeap.
Coding the deobfuscator
In this post I won’t go too much in depth about the internal de4dot architecture, mainly because I don’t know a whole lot about it. You’d have to check the built-in deobfuscators by yourself to find out how it works. Here is a post by kao that explains extending de4dot in a more detailed manner.
The identifying class for a deobfuscator is the DeobfuscatorInfo class. It has to provide a Name and a Type string field, where the Type field must be unique. It also has a CreateDeobfuscator method that will handle the actual deobfuscation.
You can find the full code over here. TheProxy wrote a full tutorial with details over at his blog
Sharing the deobfuscator
Now before I go into this, I have to say that you are obligated by the license de4dot uses (GPL) to share any modifications you make to de4dot under the same (GPL) license. This includes extensions that are dynamically loaded by de4dot, although this is controversial.
Now to share the deobfuscator, for example for internal company usage or simply because you want to share prebuilt binaries of your GPL extension, simply copy the bin/deobfuscator.OrangeHeap.dll to the de4dot bin directory on another machine. Here is a screenshot that shows what happens before and after I added the DLL to the bin directory (obviously without any other modifications to de4dot):
Overriding/Extending existing deobfuscators
If you want to change the behavior of an existing deobfuscator, simply make the DeobfuscatorInfo.Type field return an already-present typename (like co for CryptoDeobfuscator or df for Dotfuscator). Basically you have to rip the current deobfuscator class out in a separate project (I tested this). See here for a starting point. It should be pretty straightforward.
Well, that’s all for today. Hopefully till next time!
mrexodia
blog comments powered by Disqus