dotscope 0.7.0

A high-performance, cross-platform framework for analyzing and reverse engineering .NET PE executables
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284

//! Shared utility functions for ConfuserEx technique modules.
//!
//! Consolidates helpers used by multiple ConfuserEx techniques:
//!
//! - [`find_encrypted_methods`] — identifies methods with encrypted bodies
//! - [`get_method_rva`] — reads a method's RVA from the MethodDef table
//! - [`extract_method_body_at_rva`] — parses a decrypted method body from memory
//! - [`get_field_data_size`] — determines FieldRVA data size via ClassLayout

use std::collections::HashSet;

use crate::{
    deobfuscation::utils::get_field_data_size,
    metadata::{
        method::MethodBody,
        tables::{FieldRvaRaw, ImplMapRaw, MethodDefRaw},
        token::Token,
    },
    CilObject,
};

/// Maximum bytes to read when extracting a method body from memory.
const MAX_METHOD_BODY_SIZE: usize = 65536;

/// Finds methods with encrypted bodies in the assembly.
///
/// These are methods where the RVA is set but the body couldn't be parsed,
/// indicating the method body is encrypted or corrupted.
pub(super) fn find_encrypted_methods(assembly: &CilObject) -> Vec<Token> {
    assembly
        .methods()
        .iter()
        .filter_map(|entry| {
            let method = entry.value();
            if method.rva.is_some_and(|rva| rva > 0) && !method.has_body() {
                Some(method.token)
            } else {
                None
            }
        })
        .collect()
}

/// Returns all method tokens that have a non-zero RVA.
///
/// Includes both methods with valid bodies and encrypted methods. Used when
/// re-extracting all method bodies after anti-tamper decryption, since section
/// layout changes may invalidate existing RVAs.
pub(super) fn find_all_methods_with_rva(assembly: &CilObject) -> Vec<Token> {
    assembly
        .methods()
        .iter()
        .filter_map(|entry| {
            let method = entry.value();
            if method.rva.is_some_and(|rva| rva > 0) {
                Some(method.token)
            } else {
                None
            }
        })
        .collect()
}

/// Gets the RVA for a method from the raw MethodDef table.
pub(super) fn get_method_rva(assembly: &CilObject, token: Token) -> Option<u32> {
    let tables = assembly.tables()?;
    let method_table = tables.table::<MethodDefRaw>()?;
    let row = token.row();
    let method_row = method_table.get(row)?;
    Some(method_row.rva)
}

/// Extracts a decrypted method body from a virtual image at the given RVA.
///
/// Reads bytes from the virtual image, parses the method body header to
/// validate and determine size, re-encodes to canonical format, and returns
/// the bytes ready for storage.
pub(super) fn extract_method_body_at_rva(memory: &[u8], rva: u32) -> Option<Vec<u8>> {
    let rva_usize = rva as usize;
    if rva_usize >= memory.len() {
        return None;
    }

    let available = memory.len() - rva_usize;
    let read_size = available.min(MAX_METHOD_BODY_SIZE);
    let body_slice = &memory[rva_usize..rva_usize + read_size];

    let body = MethodBody::from(body_slice).ok()?;

    let il_start = body.size_header;
    let il_end = il_start + body.size_code;
    if il_end > body_slice.len() {
        return None;
    }
    let il_code = &body_slice[il_start..il_end];

    let mut output = Vec::new();
    body.write_to(&mut output, il_code).ok()?;

    Some(output)
}

/// Extracts decrypted FieldRVA data from a virtual image.
///
/// Anti-tamper encrypts the Constants section alongside method bodies. This
/// function extracts all FieldRVA data entries from the decrypted virtual image.
///
/// Returns `(field_rid, original_rva, decrypted_data)` tuples plus a count of
/// fields that couldn't be extracted.
pub(super) fn extract_decrypted_field_data(
    assembly: &CilObject,
    virtual_image: &[u8],
) -> (Vec<(u32, u32, Vec<u8>)>, usize) {
    let mut fields = Vec::new();
    let mut failed_count = 0;

    let Some(tables) = assembly.tables() else {
        return (fields, failed_count);
    };
    let Some(fieldrva_table) = tables.table::<FieldRvaRaw>() else {
        return (fields, failed_count);
    };

    for row in fieldrva_table {
        let rva = row.rva;
        if rva == 0 {
            continue;
        }

        let Some(field_size) = get_field_data_size(assembly, row.field) else {
            failed_count += 1;
            continue;
        };

        let rva_usize = rva as usize;
        if rva_usize + field_size > virtual_image.len() {
            failed_count += 1;
            continue;
        }

        let data = virtual_image[rva_usize..rva_usize + field_size].to_vec();
        fields.push((row.rid, rva, data));
    }

    (fields, failed_count)
}

/// Finds methods that contain a call/callvirt to any token in `target_tokens`.
///
/// This supplements [`find_methods_calling_apis`](crate::deobfuscation::utils::find_methods_calling_apis)
/// for cases where the target is identified by token rather than name — e.g.,
/// P/Invoke MethodDef tokens resolved from the ImplMap table whose managed
/// names have been obfuscated.
///
/// # Returns
///
/// A [`HashSet`] of method tokens that call at least one of the target tokens.
pub(super) fn find_methods_calling_tokens(
    assembly: &CilObject,
    target_tokens: &HashSet<Token>,
) -> HashSet<Token> {
    if target_tokens.is_empty() {
        return HashSet::new();
    }

    let mut callers = HashSet::new();
    for method_entry in assembly.methods() {
        let method = method_entry.value();
        for instr in method.instructions() {
            if let Some(token) = instr.get_token_operand() {
                if target_tokens.contains(&token) {
                    callers.insert(method.token);
                    break;
                }
            }
        }
    }
    callers
}

/// Resolves P/Invoke import names from the ImplMap table to find MethodDef
/// tokens that map to a specific DLL export.
///
/// ConfuserEx renames P/Invoke method definitions (e.g., "VirtualProtect" → "b"),
/// but the ImplMap table's `import_name` field always holds the real DLL export
/// name. This function scans ImplMap to build a set of MethodDef tokens whose
/// actual import name contains `target_name`.
pub(super) fn resolve_pinvoke_tokens(assembly: &CilObject, target_name: &str) -> HashSet<Token> {
    let mut tokens = HashSet::new();

    let Some(tables) = assembly.tables() else {
        return tokens;
    };
    let Some(strings) = assembly.strings() else {
        return tokens;
    };
    let Some(implmap_table) = tables.table::<ImplMapRaw>() else {
        return tokens;
    };

    for row in implmap_table {
        let Ok(import_name) = strings.get(row.import_name as usize) else {
            continue;
        };
        if import_name.contains(target_name) {
            // member_forwarded points to the MethodDef via coded index.
            tokens.insert(row.member_forwarded.token);
        }
    }

    tokens
}

#[cfg(test)]
mod tests {
    use crate::test::helpers::load_sample;

    #[test]
    fn test_find_encrypted_methods_on_antitamper() {
        let assembly = load_sample("tests/samples/packers/confuserex/1.6.0/mkaring_antitamper.exe");

        let encrypted = super::find_encrypted_methods(&assembly);
        assert!(
            !encrypted.is_empty(),
            "Anti-tamper sample should have encrypted method bodies"
        );
    }

    #[test]
    fn test_find_encrypted_methods_on_original() {
        let assembly = load_sample("tests/samples/packers/confuserex/1.6.0/original.exe");

        let encrypted = super::find_encrypted_methods(&assembly);
        assert!(
            encrypted.is_empty(),
            "Original sample should have no encrypted method bodies"
        );
    }

    #[test]
    fn test_find_all_methods_with_rva() {
        let assembly = load_sample("tests/samples/packers/confuserex/1.6.0/original.exe");

        let methods = super::find_all_methods_with_rva(&assembly);
        assert!(
            !methods.is_empty(),
            "Original sample should have methods with RVAs"
        );
    }

    #[test]
    fn test_resolve_pinvoke_tokens_on_maximum() {
        let assembly = load_sample("tests/samples/packers/confuserex/1.6.0/mkaring_maximum.exe");

        let vp_tokens = super::resolve_pinvoke_tokens(&assembly, "VirtualProtect");
        assert!(
            !vp_tokens.is_empty(),
            "Maximum preset should have VirtualProtect P/Invoke"
        );
    }

    #[test]
    fn test_resolve_pinvoke_tokens_on_original() {
        let assembly = load_sample("tests/samples/packers/confuserex/1.6.0/original.exe");

        let vp_tokens = super::resolve_pinvoke_tokens(&assembly, "VirtualProtect");
        assert!(
            vp_tokens.is_empty(),
            "Original sample should not have VirtualProtect P/Invoke"
        );
    }

    #[test]
    fn test_extract_method_body_at_rva_invalid() {
        // Empty memory should return None
        let result = super::extract_method_body_at_rva(&[], 0);
        assert!(result.is_none(), "Empty memory should return None");

        // RVA beyond memory bounds should return None
        let memory = vec![0u8; 16];
        let result = super::extract_method_body_at_rva(&memory, 100);
        assert!(result.is_none(), "Out-of-bounds RVA should return None");
    }
}