解析 .NET 可执行程序 —— dnfile
工具源码:https://github.com/malwarefrank/dnfile特性
[*]尽可能多地解析,即使文件部分格式错误;
[*]便于使用,开发时考虑了 IDE 自动完成功能;
快速开始
pip install dnfile
然后创建一个简单的程序来加载 .NET 二进制文件、解析它并显示有关流和元数据表的信息。
import sys
import dnfile
filepath = sys.argv
pe = dnfile.dnPE(filepath)
pe.print_info()
一切都是对象,原始结构值存储在对象的 "struct" 属性中,可以从 dnPE 对象的 "net" 属性访问 CLR 目录条目对象。
import dnfile
import hashlib
pe = dnfile.dnPE(FILEPATH)
# access the directory entry raw structure values
pe.net.struct
# access the metadata raw structure values
pe.net.metadata.struct
# access the streams
for s in pe.net.metadata.streams_list:
if isinstance(s, dnfile.stream.MetaDataTables):
# how many Metadata tables are defined in the binary?
num_of_tables = len(s.tables_list)
# the last Metadata tables stream can also be accessed by a shortcut
num_of_tables = len(pe.net.mdtables.tables_list)
# create a set to hold the hashes of all resources
res_hash = set()
# access the resources
for r in pe.net.resources:
# if resource data is a simple byte stream
if isinstance(r.data, bytes):
# hash it and add the hash to the set
res_hash.add(hashlib.sha256(r.data).hexdigest())
# if resource data is a ResourceSet, a dotnet-specific datatype
elif isinstance(r.data, dnfile.resource.ResourceSet):
# if there are no entries
if not r.data.entries:
# skip it
continue
# for each entry in the ResourceSet
for entry in r.data.entries:
# if it has data
if entry.data:
# hash it and add the hash to the set
res_hash.add(hashlib.sha256(entry.data).hexdigest())
页:
[1]