VMAttack - Devirtualization Research Tool
VMAttack is a work-in-progress project focused on .NET Virtual machines. It's currently exploring the virtualization techniques.
The goal is to help security researchers detect and identify malware that uses them.
Getting started β’ Implemented VMs β’ Dependencies β’ Installation β’
Getting started
This project is an open-source (GPLv3) being under heavy work in progress and is being created as a study for anyone who wants to explore .NET VMs and learn about CIL Virtualization techniques and how to read them.
Virtualization is a common form of code obfuscation. It transforms code into a virtual program that is no longer recognizable as its source code, allowing it to be executed without the need for a human-readable form. However, this makes it difficult for security analysts to understand the behavior of virtualized programs, as the internal mechanism of commercial obfuscators is a black box.
Implemented VMs
- Eziriz .NET Reactor [WIP]
Others
- KoiVM Washi1337
- CawkVM ElektroKill
- Eazfuscator .NET saneki (new comming soon)
- EazyDevirt (new)
Installation
To build the project from the commandline, use:
$ git clone --recurse-submodules https://github.com/void-stack/VMAttack.git
$ dotnet restore
$ dotnet build
