/*
29 Jan

Improved dotNET Tracer

dotNET Tracer is a great tool created by my friend Kurapica. It provides information really useful for analyzing different .NET protections, like which modules are being loaded, which functions are being JIT-compiled, and so on.
DotNET Tracer main window

Unfortunately, it is missing some features and has some small bugs. For example, DisguiserNET.Sample.GUI unpackme by li0nsar3c00l (another friend of mine!) detects dotNET tracer and refuses to run:

Disguiser detects dotNET Tracer

Cause of the problem

It's actually quite simple. dotNET Tracer is using .NET CLR Profiling APIs to gather the information. To do that, it needs to set several environment variables, as you can see in the Form_Main.cs:

After profiling dll (system.dll) is initialized, it resets first 2 environment variables, but forgot to reset the 3rd one. Disguiser detects presence of that variable and crashes. Oops.

Solution

After spending some time on both tracer and the unpackme, I'm happy to present a fixed version of dotNET Tracer. So far I have improved:

  1. Created workaround for li0n's anti-profiler trick;
  2. Added logging of "Module load finished" events. This prints imagebase for loaded DLLs and thus makes dumping resources from memory easier;
  3. When you close dotNET Tracer, traced process will be killed automatically.

Disguiser runningjust fine
Now I can spend more time on the unpackme.. smile

Download link for binaries: http://www.mediafire.com/?8zfaukefx39i32n
I respect Kurapica's wishes and therefore source code will not be made available.

5 thoughts on “Improved dotNET Tracer

  1. Made some updates
    * Added commandline support
    * improved right-click-jumps to .net Reflector

    http://bit.do/KDT_2_1
    _________________________________________________________________________
    btw incase you like to sign up at the Black Storm forum that python line might
    [ chr(int (x, 16) ) for x in "68 65 6C 70".split() ]
    you to asker their registration question. :)
    "".join( [ chr(int (x, 2) ) for x in "0b1001000 0b1100101 0b1101100 0b1101100 0b1101111 0b100000 0b1010111 0b1101111 0b1110010 0b1101100 0b1100100 0b100001".split() ] )

    • Comment approved, even though I generally don't allow other people to do self-promotions on my blog. ;)

      Disclaimer: I haven't checked the link above. Use at your own risk.

Leave a Reply

Your email address will not be published.

Number

*/
29 Jan

Improved dotNET Tracer

dotNET Tracer is a great tool created by my friend Kurapica. It provides information really useful for analyzing different .NET protections, like which modules are being loaded, which functions are being JIT-compiled, and so on.
DotNET Tracer main window

Unfortunately, it is missing some features and has some small bugs. For example, DisguiserNET.Sample.GUI unpackme by li0nsar3c00l (another friend of mine!) detects dotNET tracer and refuses to run:

Disguiser detects dotNET Tracer

Cause of the problem

It's actually quite simple. dotNET Tracer is using .NET CLR Profiling APIs to gather the information. To do that, it needs to set several environment variables, as you can see in the Form_Main.cs:

After profiling dll (system.dll) is initialized, it resets first 2 environment variables, but forgot to reset the 3rd one. Disguiser detects presence of that variable and crashes. Oops.

Solution

After spending some time on both tracer and the unpackme, I'm happy to present a fixed version of dotNET Tracer. So far I have improved:

  1. Created workaround for li0n's anti-profiler trick;
  2. Added logging of "Module load finished" events. This prints imagebase for loaded DLLs and thus makes dumping resources from memory easier;
  3. When you close dotNET Tracer, traced process will be killed automatically.

Disguiser runningjust fine
Now I can spend more time on the unpackme.. smile

Download link for binaries: http://www.mediafire.com/?8zfaukefx39i32n
I respect Kurapica's wishes and therefore source code will not be made available.

5 thoughts on “Improved dotNET Tracer

  1. Made some updates
    * Added commandline support
    * improved right-click-jumps to .net Reflector

    http://bit.do/KDT_2_1
    _________________________________________________________________________
    btw incase you like to sign up at the Black Storm forum that python line might
    [ chr(int (x, 16) ) for x in "68 65 6C 70".split() ]
    you to asker their registration question. :)
    "".join( [ chr(int (x, 2) ) for x in "0b1001000 0b1100101 0b1101100 0b1101100 0b1101111 0b100000 0b1010111 0b1101111 0b1110010 0b1101100 0b1100100 0b100001".split() ] )

    • Comment approved, even though I generally don't allow other people to do self-promotions on my blog. ;)

      Disclaimer: I haven't checked the link above. Use at your own risk.

Leave a Reply

Your email address will not be published.

Number