dotscope 0.7.0

A high-performance, cross-platform framework for analyzing and reverse engineering .NET PE executables
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289

//! Generic constant decryptor detection.
//!
//! Identifies and registers generic constant decryptor methods — methods that
//! decrypt integer, float, or array constants via FieldRVA-backed data. Common
//! patterns include `T(int32)` generic decryptor methods and `int32(int32)`
//! constant accessors.
//!
//! # Detection
//!
//! Scans for methods with characteristic constant decryptor signatures and
//! FieldRVA-backed data fields.
//!
//! # Passes
//!
//! Does not create its own pass — uses the shared `DecryptionPass` from
//! `create_deob_passes()`. Registers discovered decryptor methods with the
//! analysis context during `initialize()`.

use std::{
    any::Any,
    collections::{HashMap, HashSet},
};

use log::debug;

use crate::{
    analysis::SsaOp,
    cilassembly::CleanupRequest,
    compiler::PassPhase,
    deobfuscation::{
        context::AnalysisContext,
        techniques::{Detection, Detections, Evidence, Technique, TechniqueCategory},
        utils::{
            build_call_site_counts, exclude_cross_calling_candidates, filter_by_call_threshold,
        },
    },
    metadata::{signatures::TypeSignature, tables::TableId, token::Token, typesystem::wellknown},
    CilObject,
};

/// Findings from generic constant decryptor detection.
#[derive(Debug)]
pub struct ConstantFindings {
    /// Tokens of detected constant decryptor methods.
    pub decryptor_methods: HashSet<Token>,
}

/// Detects generic constant decryptor methods.
pub struct GenericConstants;

impl GenericConstants {
    /// Collects candidate methods matching common constant decryptor signatures.
    ///
    /// Scans the MethodDef table for static methods with `int32(int32)` or
    /// `object(int32)` signatures. Excludes constructors.
    ///
    /// # Arguments
    ///
    /// * `assembly` - The assembly to scan for candidate methods.
    fn collect_candidates(&self, assembly: &CilObject) -> Vec<Token> {
        let mut candidates = Vec::new();

        for method_entry in assembly.methods() {
            let method = method_entry.value();

            if !method.is_static() {
                continue;
            }
            if method.name == wellknown::members::CCTOR || method.name == wellknown::members::CTOR {
                continue;
            }

            let param_count = method.signature.params.len();

            // int32(int32) — integer constant accessor
            let is_int_accessor = param_count == 1
                && matches!(method.signature.params[0].base, TypeSignature::I4)
                && matches!(method.signature.return_type.base, TypeSignature::I4);

            // object(int32) — generic constant accessor
            let is_obj_accessor = param_count == 1
                && matches!(method.signature.params[0].base, TypeSignature::I4)
                && matches!(method.signature.return_type.base, TypeSignature::Object);

            if !is_int_accessor && !is_obj_accessor {
                continue;
            }

            // Exclude methods that call other user-defined methods (MethodDef).
            // Real constant decryptors are leaf functions: they do table lookups
            // or arithmetic on their argument, without calling into user code.
            // Methods like sqlite3StatusValue that call wsdStatInit() are utility
            // functions, not decryptors, and their dependencies often fail to
            // emulate (e.g., .cctor failures).
            let calls_user_methods = method.instructions().any(|instr| {
                if instr.mnemonic != "call" && instr.mnemonic != "callvirt" {
                    return false;
                }
                instr
                    .get_token_operand()
                    .is_some_and(|t| t.is_table(TableId::MethodDef))
            });

            if !calls_user_methods {
                candidates.push(method.token);
            }
        }

        candidates
    }
}

impl Technique for GenericConstants {
    fn id(&self) -> &'static str {
        "generic.constants"
    }

    fn name(&self) -> &'static str {
        "Generic Constant Decryptor Detection"
    }

    fn category(&self) -> TechniqueCategory {
        TechniqueCategory::Value
    }

    fn detect(&self, assembly: &CilObject) -> Detection {
        // Phase 1: collect candidates matching constant decryptor signatures.
        let candidates = self.collect_candidates(assembly);
        if candidates.is_empty() {
            return Detection::new_empty();
        }

        // Phase 2: count call sites for all candidates in a single IL pass.
        let counts = build_call_site_counts(assembly, candidates.iter().copied());

        // Phase 3: filter by call-site threshold.
        let decryptors = filter_by_call_threshold(candidates, &counts, 3);

        // Phase 4: exclude candidates that call other candidates (consumers, not decryptors).
        let decryptors = exclude_cross_calling_candidates(decryptors, assembly);
        if decryptors.is_empty() {
            return Detection::new_empty();
        }

        let count = decryptors.len();
        let findings = ConstantFindings {
            decryptor_methods: decryptors,
        };

        Detection::new_detected(
            vec![Evidence::Structural(format!(
                "{count} potential constant decryptor methods"
            ))],
            Some(Box::new(findings) as Box<dyn Any + Send + Sync>),
        )
    }

    fn detect_ssa(&self, ctx: &AnalysisContext, assembly: &CilObject) -> Detection {
        // Phase 1: collect candidates matching constant decryptor signatures.
        let candidates = self.collect_candidates(assembly);
        if candidates.is_empty() {
            return Detection::new_empty();
        }

        // Phase 2: count SSA Call/CallVirt ops targeting candidates.
        // This catches calls hidden behind delegate proxies — after
        // DelegateProxyResolutionPass resolves them, direct Call ops appear.
        let mut counts: HashMap<Token, usize> = candidates.iter().map(|&t| (t, 0)).collect();
        let mut memberref_cache: HashMap<Token, Option<Token>> = HashMap::new();

        for entry in ctx.ssa_functions.iter() {
            for block in entry.value().blocks() {
                for instr in block.instructions() {
                    let token = match instr.op() {
                        SsaOp::Call { method, .. } | SsaOp::CallVirt { method, .. } => {
                            method.token()
                        }
                        _ => continue,
                    };

                    // Direct match
                    if let Some(c) = counts.get_mut(&token) {
                        *c += 1;
                        continue;
                    }

                    // MemberRef indirection
                    if token.is_table(TableId::MemberRef) {
                        let resolved = memberref_cache
                            .entry(token)
                            .or_insert_with(|| assembly.resolver().resolve_memberref_method(token));
                        if let Some(resolved_token) = resolved {
                            if let Some(c) = counts.get_mut(resolved_token) {
                                *c += 1;
                            }
                        }
                    }
                }
            }
        }

        // Phase 3: filter by call-site threshold.
        let decryptors = filter_by_call_threshold(candidates, &counts, 3);

        // Phase 4: exclude candidates that call other candidates (consumers, not decryptors).
        let decryptors = exclude_cross_calling_candidates(decryptors, assembly);
        if decryptors.is_empty() {
            return Detection::new_empty();
        }

        let count = decryptors.len();
        debug!(
            "GenericConstants SSA detection: {} decryptors found ({} total call sites)",
            count,
            decryptors
                .iter()
                .map(|t| counts.get(t).unwrap_or(&0))
                .sum::<usize>()
        );

        let findings = ConstantFindings {
            decryptor_methods: decryptors,
        };

        Detection::new_detected(
            vec![Evidence::Structural(format!(
                "{count} constant decryptor methods (SSA call-site analysis)"
            ))],
            Some(Box::new(findings) as Box<dyn Any + Send + Sync>),
        )
    }

    fn ssa_phase(&self) -> Option<PassPhase> {
        Some(PassPhase::Value)
    }

    fn initialize(
        &self,
        ctx: &AnalysisContext,
        _assembly: &CilObject,
        detection: &Detection,
        _detections: &Detections,
    ) {
        let Some(findings) = detection.findings::<ConstantFindings>() else {
            return;
        };

        for token in &findings.decryptor_methods {
            ctx.decryptors.register(*token);
        }
    }

    fn cleanup(&self, detection: &Detection) -> Option<CleanupRequest> {
        let findings = detection.findings::<ConstantFindings>()?;
        if findings.decryptor_methods.is_empty() {
            return None;
        }
        let mut req = CleanupRequest::new();
        for &token in &findings.decryptor_methods {
            req.add_method(token);
        }
        Some(req)
    }
}

#[cfg(test)]
mod tests {
    use crate::{deobfuscation::techniques::Technique, test::helpers::load_sample};

    /// Verify detection runs without error on a protected sample.
    ///
    /// ConfuserEx uses a unified `T Get<T>(int32)` decryptor that the
    /// ConfuserEx-specific technique handles. The generic technique catches
    /// simpler `int32(int32)` / `object(int32)` patterns from other packers.
    #[test]
    fn test_detect_no_panic_on_obfuscated() {
        let asm = load_sample("tests/samples/packers/confuserex/1.6.0/mkaring_constants.exe");
        let technique = super::GenericConstants;
        let _detection = technique.detect(&asm);
    }

    #[test]
    fn test_detect_negative() {
        let asm = load_sample("tests/samples/packers/confuserex/1.6.0/original.exe");
        let technique = super::GenericConstants;
        let detection = technique.detect(&asm);
        assert!(!detection.is_detected());
    }
}