SJITHook (Simple JIT hook) up on GitHub

Just a small little project I decided to release. It allows you to easily create a JIT hook in a .NET application. It can be used to do stuff like dynamic method decryption at runtime (commonly used in obfuscation). You can find the project here: SJITHook.

If you’re unsure how to use it, please read the ReadMe.

Example of what it can do:

ss (2014-05-11 at 08.15.09)

I’ll soon release a blog entry here explaining exactly what this project does, and how it works more in depth. 🙂

Advertisements

8 comments

  1. Very interesting tool.

    But how could we use it externally? For example we have Program A that calls Foo() and Bar(). Now we want to see which methods are called and when.

    Ordinarily I would use a loader, but this is not working for this particular project.

    As I write this it occurs that we could inject DLL. But I’ve never explored injecting C# dll before..

    1. The easiest way would indeed be to use a loader. You make sure that all methods in the loader are already JIT’d, and then you install SJITHook. After it’s installed you simply load the target application with Reflection and it should be able to catch the calls to Foo() and Bar().

      I hope that makes sense.

  2. Hi ubbelol!
    Thanks for your articles, they are very interested.
    I have a trouble with SJITHook, when, inside “HookedCompileMethod”, i write:

    uint old;
    VirtualProtect(methodInfo->ilCode + 2, sizeof (int), 0x40, out old);
    *(int*) (methodInfo->ilCode + 2) = 1337;
    VirtualProtect(methodInfo->ilCode + 2, sizeof (int), old, out old);

    for making the foo() result from 1000 to 1337 Visual Studio show me a StackOverflowException on first “VirtualProtect” instruction, do you know why?

    1. 20 Åžubat 2012lgcrnMesela bi konu hakkında bilmeniz gereken biÅŸeyi bilmiyorsunuz.fırça yemeniz an meselesi.baÅŸkası da aynı konu hakkında yorum yaparak küçük dÃÃe¼Ã¼rebiliyor.yŸ¶nÅticide sen böyle biÅŸey diyemezsin de demiyor.  

    2. Hiya, I am really glad I have found this information. Nowadays bloggers publish only about gossips and web and this is actually irritating. A good website with exciting content, that is what I need. Thanks for keeping this site, I’ll be visiting it. Do you do newsletters? Can’t find it.

    3. Hi Peter, I would love to see these apple scripts, I have a pretty similar set up to you at the moment when I’m on my work station I’m remoting in to my mac in the front room. Closing iTunes, then opening iTunes on the workstation but pointing it at the iTunes on the mediaMac. If that could be replaced with 2 apple scripts that would be very cool.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s