VMAttack
VMAttack copied to clipboard
void-stack
Research on code virtualization in .NET [WIP]
VMAttack - Devirtualization Research Tool
VMAttack is a work-in-progress project focused on .NET Virtual machines. It's currently exploring the virtualization techniques.
The goal is to help security researchers detect and identify malware that uses them.
Getting started • Implemented VMs • Dependencies • Installation •
Getting started
This project is an open-source (GPLv3) being under heavy work in progress and is being created as a study for anyone who wants to explore .NET VMs and learn about CIL Virtualization techniques and how to read them.
Virtualization is a common form of code obfuscation. It transforms code into a virtual program that is no longer recognizable as its source code, allowing it to be executed without the need for a human-readable form. However, this makes it difficult for security analysts to understand the behavior of virtualized programs, as the internal mechanism of commercial obfuscators is a black box.
Implemented VMs
- Eziriz .NET Reactor [WIP]
Others
- KoiVM Washi1337
- CawkVM ElektroKill
- Eazfuscator .NET saneki (new comming soon)
- EazyDevirt (new)
Installation
To build the project from the commandline, use:
$ git clone --recurse-submodules https://github.com/void-stack/VMAttack.git
$ dotnet restore
$ dotnet build
Dependencies
License
void-stack