From 73b2904b3033faca8f396a09299e92b6c9e9e0cb Mon Sep 17 00:00:00 2001 From: Mercer <81712403+m3rcer@users.noreply.github.com> Date: Mon, 3 Nov 2025 22:21:55 +0530 Subject: [PATCH 1/6] Create lli.yml --- yml/OtherMSBinaries/lli.yml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 yml/OtherMSBinaries/lli.yml diff --git a/yml/OtherMSBinaries/lli.yml b/yml/OtherMSBinaries/lli.yml new file mode 100644 index 00000000..d81c69b5 --- /dev/null +++ b/yml/OtherMSBinaries/lli.yml @@ -0,0 +1,27 @@ +--- +Name: lli.exe +Description: LLVM Interpreter and Just-In-Time (JIT) compiler for executing LLVM bitcode files (.bc or .ll). +Author: Munaf Shariff +Created: 2025-11-03 +Commands: + - Command: lli.exe "C:\Users\Public\payload.ll" + Description: Executes LLVM Intermediate Representation (IR) or Bitcode using the JIT engine, allowing dynamic runtime code execution. Part of Visual Studio and Rust LLVM toolchain and other external LLVM toolchains used by developers. + Usecase: Can bypass static detection by interpreting or JIT-compiling obfuscated LLVM IR (converted from multiple language source frontends) at runtime. + Category: Execute + Privileges: User + MitreID: T1127 + OperatingSystem: Windows + Tags: + - Execute: EXE +Full_Path: + - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\Llvm\x64\bin\lli.exe + - Path: C:\ProgramData\chocolatey\lib\llvm\tools\llvm\bin\lli.exe +Resources: + - Link: https://github.com/m3rcer/IRvana/blob/main/Interpreters/lli%20-%20ORC%20JIT/README.md#llvm-lli-tool-part-of-llvm-toolchain + - Link: https://github.com/m3rcer/IRvana + - Link: https://rohannk.com/posts/Code-in-the-Middle/ + - Link: https://llvm.org/docs/CommandGuide/lli.html + - Link: https://github.com/llvm/llvm-project +Acknowledgement: + - Person: Munaf Shariff + Handle: '@al3x_m3rcer' \ No newline at end of file From 3c8262801dbbb8f5eb11049795ca2dfbb663dc80 Mon Sep 17 00:00:00 2001 From: Mercer <81712403+m3rcer@users.noreply.github.com> Date: Mon, 3 Nov 2025 22:26:37 +0530 Subject: [PATCH 2/6] Create lli.yml --- yml/OtherMSBinaries/lli.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OtherMSBinaries/lli.yml b/yml/OtherMSBinaries/lli.yml index d81c69b5..eb5bede8 100644 --- a/yml/OtherMSBinaries/lli.yml +++ b/yml/OtherMSBinaries/lli.yml @@ -5,7 +5,7 @@ Author: Munaf Shariff Created: 2025-11-03 Commands: - Command: lli.exe "C:\Users\Public\payload.ll" - Description: Executes LLVM Intermediate Representation (IR) or Bitcode using the JIT engine, allowing dynamic runtime code execution. Part of Visual Studio and Rust LLVM toolchain and other external LLVM toolchains used by developers. + Description: Executes LLVM Intermediate Representation (.ll) or Bitcode (.bc) using the MCJIT or ORCJIT engine, allowing dynamic runtime code execution. Part of Visual Studio and other external LLVM toolchains used by developers. Usecase: Can bypass static detection by interpreting or JIT-compiling obfuscated LLVM IR (converted from multiple language source frontends) at runtime. Category: Execute Privileges: User From 68e53492973573b7e7300e8e3b0c265beee2cead Mon Sep 17 00:00:00 2001 From: Mercer <81712403+m3rcer@users.noreply.github.com> Date: Mon, 3 Nov 2025 22:37:19 +0530 Subject: [PATCH 3/6] Added lli.yml --- yml/OtherMSBinaries/lli.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OtherMSBinaries/lli.yml b/yml/OtherMSBinaries/lli.yml index eb5bede8..6762eacc 100644 --- a/yml/OtherMSBinaries/lli.yml +++ b/yml/OtherMSBinaries/lli.yml @@ -4,7 +4,7 @@ Description: LLVM Interpreter and Just-In-Time (JIT) compiler for executing LLVM Author: Munaf Shariff Created: 2025-11-03 Commands: - - Command: lli.exe "C:\Users\Public\payload.ll" + - Command: lli.exe payload.ll Description: Executes LLVM Intermediate Representation (.ll) or Bitcode (.bc) using the MCJIT or ORCJIT engine, allowing dynamic runtime code execution. Part of Visual Studio and other external LLVM toolchains used by developers. Usecase: Can bypass static detection by interpreting or JIT-compiling obfuscated LLVM IR (converted from multiple language source frontends) at runtime. Category: Execute From 7a5e56b7a970de0d6baa596eeb5110aacc1b0fd3 Mon Sep 17 00:00:00 2001 From: Mercer <81712403+m3rcer@users.noreply.github.com> Date: Mon, 3 Nov 2025 22:50:07 +0530 Subject: [PATCH 4/6] Update lli.yml --- yml/OtherMSBinaries/lli.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OtherMSBinaries/lli.yml b/yml/OtherMSBinaries/lli.yml index 6762eacc..21b3a092 100644 --- a/yml/OtherMSBinaries/lli.yml +++ b/yml/OtherMSBinaries/lli.yml @@ -24,4 +24,4 @@ Resources: - Link: https://github.com/llvm/llvm-project Acknowledgement: - Person: Munaf Shariff - Handle: '@al3x_m3rcer' \ No newline at end of file + Handle: '@al3x_m3rcer' From 8180dd61e68e83738fd64992437b2843951b97db Mon Sep 17 00:00:00 2001 From: Mercer <81712403+m3rcer@users.noreply.github.com> Date: Mon, 3 Nov 2025 23:00:31 +0530 Subject: [PATCH 5/6] Update lli.yml --- yml/OtherMSBinaries/lli.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/yml/OtherMSBinaries/lli.yml b/yml/OtherMSBinaries/lli.yml index 21b3a092..2ea2e528 100644 --- a/yml/OtherMSBinaries/lli.yml +++ b/yml/OtherMSBinaries/lli.yml @@ -1,6 +1,6 @@ --- Name: lli.exe -Description: LLVM Interpreter and Just-In-Time (JIT) compiler for executing LLVM bitcode files (.bc or .ll). +Description: LLVM Interpreter and Just-In-Time (JIT) compiler for executing LLVM bitcode files (.bc or .ll) Author: Munaf Shariff Created: 2025-11-03 Commands: @@ -12,7 +12,7 @@ Commands: MitreID: T1127 OperatingSystem: Windows Tags: - - Execute: EXE + - Execute: LLVM IR Full_Path: - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\Llvm\x64\bin\lli.exe - Path: C:\ProgramData\chocolatey\lib\llvm\tools\llvm\bin\lli.exe @@ -20,8 +20,6 @@ Resources: - Link: https://github.com/m3rcer/IRvana/blob/main/Interpreters/lli%20-%20ORC%20JIT/README.md#llvm-lli-tool-part-of-llvm-toolchain - Link: https://github.com/m3rcer/IRvana - Link: https://rohannk.com/posts/Code-in-the-Middle/ - - Link: https://llvm.org/docs/CommandGuide/lli.html - - Link: https://github.com/llvm/llvm-project Acknowledgement: - Person: Munaf Shariff Handle: '@al3x_m3rcer' From 09e7131a64ce33e6bd42f58a53a209ce594f98f0 Mon Sep 17 00:00:00 2001 From: Mercer <81712403+m3rcer@users.noreply.github.com> Date: Mon, 3 Nov 2025 23:13:18 +0530 Subject: [PATCH 6/6] Update lli.yml --- yml/OtherMSBinaries/lli.yml | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/yml/OtherMSBinaries/lli.yml b/yml/OtherMSBinaries/lli.yml index 2ea2e528..affe4947 100644 --- a/yml/OtherMSBinaries/lli.yml +++ b/yml/OtherMSBinaries/lli.yml @@ -1,12 +1,17 @@ --- Name: lli.exe -Description: LLVM Interpreter and Just-In-Time (JIT) compiler for executing LLVM bitcode files (.bc or .ll) +Description: LLVM Interpreter and Just-In-Time (JIT) compiler for executing LLVM + bitcode files (.bc or .ll) Author: Munaf Shariff Created: 2025-11-03 Commands: - Command: lli.exe payload.ll - Description: Executes LLVM Intermediate Representation (.ll) or Bitcode (.bc) using the MCJIT or ORCJIT engine, allowing dynamic runtime code execution. Part of Visual Studio and other external LLVM toolchains used by developers. - Usecase: Can bypass static detection by interpreting or JIT-compiling obfuscated LLVM IR (converted from multiple language source frontends) at runtime. + Description: Executes LLVM Intermediate Representation (.ll) or Bitcode (.bc) + using the MCJIT or ORCJIT engine, allowing dynamic runtime code execution. + Part of Visual Studio and other external LLVM toolchains used by + developers. + Usecase: Can bypass static detection by interpreting or JIT-compiling obfuscated + LLVM IR (converted from multiple language source frontends) at runtime. Category: Execute Privileges: User MitreID: T1127 @@ -14,7 +19,8 @@ Commands: Tags: - Execute: LLVM IR Full_Path: - - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\Llvm\x64\bin\lli.exe + - Path: C:\Program Files\Microsoft Visual + Studio\2022\Community\VC\Tools\Llvm\x64\bin\lli.exe - Path: C:\ProgramData\chocolatey\lib\llvm\tools\llvm\bin\lli.exe Resources: - Link: https://github.com/m3rcer/IRvana/blob/main/Interpreters/lli%20-%20ORC%20JIT/README.md#llvm-lli-tool-part-of-llvm-toolchain @@ -22,4 +28,4 @@ Resources: - Link: https://rohannk.com/posts/Code-in-the-Middle/ Acknowledgement: - Person: Munaf Shariff - Handle: '@al3x_m3rcer' + Handle: "@al3x_m3rcer"