Packer compressing .net assemblies, (ab)using the PE format for data storage
Origami.exe <file>
Origami.exe <file> <mode>
-dbg Use PE headers debug directory for data storage
-pes Use additional PE Section (.origami) for data storage
Origami takes an input module (payload) which gets compressed and encrypted. The payload is then inserted into a, newly created, stub module along with a runtime loader for payload extraction. Depending on the chosen mode the payload is either placed in a new section along side the stubs metadata or hidden in the debug data entries of the stub. The new loader uses a direct pointer (VirtualAddress) to the payloads location, instead of traversing the PE header at runtime. To make the direct access possible I utilize Base Relocations and a customized module building routine in AsmResolver.
Some improvements made in version 2:
- NET Core support
- Costura support
- Simplified loader
This blog post is based on an older release of origami which uses a different runtime and packing process. I will write an updated blog post when I find the time
For a detailed explanation of the stub code check out my blog post
- AsmResolver by Washi
Logo by icons8