Skip to content

Packer compressing .net assemblies, (ab)using the PE format for data storage

License

Notifications You must be signed in to change notification settings

dr4k0nia/Origami

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

68 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Origami

Packer compressing .net assemblies, (ab)using the PE format for data storage

Usage

   Origami.exe <file>
   Origami.exe <file> <mode>

Available modes:

-dbg Use PE headers debug directory for data storage

-pes Use additional PE Section (.origami) for data storage

How it works

Origami takes an input module (payload) which gets compressed and encrypted. The payload is then inserted into a, newly created, stub module along with a runtime loader for payload extraction. Depending on the chosen mode the payload is either placed in a new section along side the stubs metadata or hidden in the debug data entries of the stub. The new loader uses a direct pointer (VirtualAddress) to the payloads location, instead of traversing the PE header at runtime. To make the direct access possible I utilize Base Relocations and a customized module building routine in AsmResolver.

Some improvements made in version 2:

  • NET Core support
  • Costura support
  • Simplified loader

This blog post is based on an older release of origami which uses a different runtime and packing process. I will write an updated blog post when I find the time
For a detailed explanation of the stub code check out my blog post

Dependencies

Logo by icons8

About

Packer compressing .net assemblies, (ab)using the PE format for data storage

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages