Skip to content

Commit e9db9ef

Browse files
khai-trankhai-tran
committed
Rev 0.0
0 parents  commit e9db9ef

File tree

2 files changed

+170
-0
lines changed

2 files changed

+170
-0
lines changed

Diff for: README.md

+68
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
Binrev- Automate reversing Windows binaries for pentesters
2+
============
3+
4+
Here is a rough description of what it does, and what tools it is using:
5+
6+
For exe, dll files:
7+
-------------
8+
1. Detect and de-obfuscate for .NET libraries with de4dot
9+
2. Decompile .NET libraries with JustDecompile
10+
3. Zip decompiled source code to netsources.zip
11+
4. Run strings against native libraries
12+
5. Export calleable functions with dllexp. You can then try to run those functions with command Rundll32 <dll>,<function name>
13+
6. Export dependencies with depends
14+
7. Extract native resources with resourcesextract
15+
16+
For jar files:
17+
-------------
18+
1. Extract and combine java classes into a single zip file
19+
2. Decompile java sources with procyon
20+
3. Zip decompiled source code to javasources.zip
21+
22+
23+
Requirement
24+
============
25+
26+
* .NET framework: http://www.microsoft.com/en-us/download/details.aspx?id=17851
27+
* Peverify: http://msdn.microsoft.com/en-us/library/62bwd2yd.aspx
28+
* Java 7: http://java.com/en/download/index.jsp
29+
* 7zip: http://www.7-zip.org/
30+
* De4dot: https://bitbucket.org/0xd4d/de4dot
31+
* JustDecompile: http://www.telerik.com/products/decompiler.aspx
32+
* Dll Export Viewer: http://www.nirsoft.net/utils/dll_export_viewer.html
33+
* Depends: http://www.dependencywalker.com/
34+
* Resources Extract: http://www.nirsoft.net/utils/resources_extract.html
35+
* Procyon https://bitbucket.org/mstrobel/procyon/wiki/Java%20Decompiler
36+
37+
38+
Usage
39+
============
40+
41+
1. Configure correct path to installed tools in the script:
42+
```
43+
set justdecompile="JustDecompile\JustDecompile"
44+
set dllexp="dllexp\dllexp"
45+
set peverify=peverify
46+
set zip="7-Zip\7z"
47+
set strings="strings"
48+
set de4dot=" de4dot-2.0.3\de4dot"
49+
set java7="C:\Program Files (x86)\Java\jre7\bin\java"
50+
set procyon="procyon-decompiler-0.5.7.jar"
51+
```
52+
53+
2. Run
54+
55+
```
56+
Binrev [Source folder] [Output folder]
57+
```
58+
59+
Output
60+
============
61+
* /java/decompiled: decompiled Java class files
62+
* /native: native win32 libraries
63+
* /native/resextract: native win32 resource files
64+
* /net/decompiled: decompiled .NET projects
65+
* /net/bin: .NET libraries and executables
66+
* /net/deobs: deobfuscated .NET libraries
67+
* /logs: strings on native libraries, exportable functions, dependencies, list of decompiled and native dlls
68+
* /other: unhandled file extensions

Diff for: binrev.bat

+102
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,102 @@
1+
@echo off
2+
3+
REM For exe, dll files:
4+
REM Detect and de-obfuscate for .NET libraries with de4dot https://bitbucket.org/0xd4d/de4dot
5+
REM Decompile .NET libraries with JustDecompile http://blogs.telerik.com/justteam/posts/11-10-20/command-line-support-and-more-in-justdecompile.aspx
6+
REM Zip decompiled source code to netresources.zip -> Code Review
7+
REM Run strings against native libraries
8+
REM Export calleable functions with dllexp http://www.nirsoft.net/utils/dll_export_viewer.html -> Rundll32
9+
REM Export dependencies with depends http://www.dependencywalker.com/
10+
REM Extract native resources with resourcesextract http://www.nirsoft.net/utils/resources_extract.html
11+
REM For jar files:
12+
REM Extract and combine java classes into javabins.jar
13+
REM Decompile with Procycon https://bitbucket.org/mstrobel/procyon/ --> javasources.zip for Code Review
14+
15+
setlocal enabledelayedexpansion
16+
17+
if [%1] equ [] goto :SYNTAX
18+
if [%1] equ [-h] goto :SYNTAX
19+
if [%1] equ [/?] goto :SYNTAX
20+
21+
22+
:SYNTAX
23+
echo ------------------------------------------------------------
24+
echo Binaries Reverser (binrev)
25+
echo ------------------------------------------------------------
26+
echo This script can be used to perform binary analysis and reversing of
27+
echo .NET, Java and native components
28+
echo ------------------------------------------------------------
29+
echo Syntax:
30+
echo binrev [Source] [Destination]
31+
REM #######################################################
32+
33+
34+
35+
rem if %1=
36+
set justdecompile="JustDecompile\JustDecompile"
37+
set dllexp="dllexp\dllexp"
38+
set peverify=peverify
39+
set zip="7-Zip\7z"
40+
set strings="strings"
41+
set resextract="resourcesextract\ResourcesExtract"
42+
set de4dot="D:\Security\Tools\Reversing Tools\de4dot-2.0.3\de4dot"
43+
set java7="C:\Program Files (x86)\Java\jre7\bin\java"
44+
set procyon="procyon-decompiler-0.5.7.jar"
45+
46+
mkdir %2\"net\decompiled"
47+
mkdir %2\"net\bin"
48+
mkdir %2\"net\deobs"
49+
mkdir %2\"java\decompiled"
50+
mkdir %2\"native\resextract"
51+
mkdir %2\"other"
52+
mkdir %2\"logs"
53+
54+
echo Parsing Windows binaries (exe, dll) ....
55+
56+
REM Export dependency with dpends
57+
REM Check for .NET libraries with peverify
58+
for /f "delims=*" %%a in ('dir /s /b %1\*.exe %1\*.dll') do (
59+
REM http://stackoverflow.com/questions/10393248/get-filename-from-string-path
60+
for %%F in (%%a) do set fileName=%%~nxF
61+
depends /c /oc:"%2\logs\!fileName!".csv "%%a"
62+
%peverify% /MD /QUIET /IGNORE=0x80131b18 "%%a" > nul
63+
REM If .NET library
64+
if errorlevel 0 if not errorlevel 1 (
65+
REM Export .NET project with justdecompile
66+
%justdecompile% /out "%2/net/decompiled" /target "%%a"
67+
copy "%%a" "%2\net\bin" >nul
68+
echo "%%a" >> %2\logs\decompiled_dlls.txt
69+
) else (
70+
copy "%%a" "%2\native" >nul
71+
echo "%%a" >> %2\logs\native_dlls.txt
72+
echo ===== "%%a" ====== >>%2\logs\strings.txt
73+
strings %%a >>%2\logs\strings.txt
74+
%resextract% /Source %%a /DestFolder "%2\native\resextract"
75+
76+
)
77+
)
78+
79+
REM Obfuscation detection
80+
%de4dot% -r %1 -ru -ro %2\net\deobs | find /I /V "unknown" >%2\logs\de4dot.txt
81+
for /f "delims=*" %%a in ('dir /s /b %2\net\deobs\*.exe %2\net\deobs\*.dll') do (
82+
%justdecompile% /out "%2/net/decompiled" /target "%%a"
83+
)
84+
85+
%zip% a -r "%2\netsources.zip" "%CD%\%2\net\decompiled" >nul
86+
87+
REM Export calleable function with dllexp
88+
echo Exporting native windows binaries calleable functions ...
89+
%dllexp% /from_files "%2\native\*.*" /scomma "%2\logs\export_functions.csv"
90+
91+
REM Copy all jar files
92+
REM Extract them all to .class files (warning: duplicates may get deleted)
93+
REM Zip them back into a single archive.
94+
echo Copying jar files ...
95+
copy "%1\*.jar" "%2\java" >nul
96+
dir /s /b %1\*.jar > %2\logs\jars.txt
97+
%zip% x -ry -o"%2\java\bin" "%2\java" >nul
98+
%zip% a -r "%2\java\javabins.jar" "%CD%\%2\java\bin" >nul
99+
%java7% -jar %procyon% -jar "%2\java\javabins.jar" -o "%2\java\decompiled" > nul
100+
%zip% a -r "%2\javasources.zip" "%CD%\%2\java\decompiled" >nul
101+
del /F /S /Q "%2\java\bin" > nul
102+

0 commit comments

Comments
 (0)