├── README.md └── binrev.bat /README.md: -------------------------------------------------------------------------------- 1 | Binrev- Automate reversing Windows binaries for pentesters 2 | ============ 3 | 4 | Here is a rough description of what it does, and what tools it is using: 5 | 6 | For exe, dll files: 7 | ------------- 8 | 1. Detect and de-obfuscate for .NET libraries with de4dot 9 | 2. Decompile .NET libraries with JustDecompile 10 | 3. Zip decompiled source code to netsources.zip 11 | 4. Run strings against native libraries 12 | 5. Export calleable functions with dllexp. You can then try to run those functions with command Rundll32 , 13 | 6. Export dependencies with depends 14 | 7. Extract native resources with resourcesextract 15 | 16 | For jar files: 17 | ------------- 18 | 1. Extract and combine java classes into a single zip file 19 | 2. Decompile java sources with procyon 20 | 3. Zip decompiled source code to javasources.zip 21 | 22 | 23 | Requirement 24 | ============ 25 | 26 | * .NET framework: http://www.microsoft.com/en-us/download/details.aspx?id=17851 27 | * Peverify: http://msdn.microsoft.com/en-us/library/62bwd2yd.aspx 28 | * Java 7: http://java.com/en/download/index.jsp 29 | * 7zip: http://www.7-zip.org/ 30 | * De4dot: https://bitbucket.org/0xd4d/de4dot 31 | * JustDecompile: http://www.telerik.com/products/decompiler.aspx 32 | * Dll Export Viewer: http://www.nirsoft.net/utils/dll_export_viewer.html 33 | * Depends: http://www.dependencywalker.com/ 34 | * Resources Extract: http://www.nirsoft.net/utils/resources_extract.html 35 | * Procyon https://bitbucket.org/mstrobel/procyon/wiki/Java%20Decompiler 36 | 37 | 38 | Usage 39 | ============ 40 | 41 | 1. Configure correct path to installed tools in the script: 42 | ``` 43 | set justdecompile="JustDecompile\JustDecompile" 44 | set dllexp="dllexp\dllexp" 45 | set peverify=peverify 46 | set zip="7-Zip\7z" 47 | set strings="strings" 48 | set de4dot=" de4dot-2.0.3\de4dot" 49 | set java7="C:\Program Files (x86)\Java\jre7\bin\java" 50 | set procyon="procyon-decompiler-0.5.7.jar" 51 | ``` 52 | 53 | 2. Run 54 | 55 | ``` 56 | Binrev [Source folder] [Output folder] 57 | ``` 58 | 59 | Output 60 | ============ 61 | * /java/decompiled: decompiled Java class files 62 | * /native: native win32 libraries 63 | * /native/resextract: native win32 resource files 64 | * /net/decompiled: decompiled .NET projects 65 | * /net/bin: .NET libraries and executables 66 | * /net/deobs: deobfuscated .NET libraries 67 | * /logs: strings on native libraries, exportable functions, dependencies, list of decompiled and native dlls 68 | * /other: unhandled file extensions -------------------------------------------------------------------------------- /binrev.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | 3 | REM For exe, dll files: 4 | REM Detect and de-obfuscate for .NET libraries with de4dot https://bitbucket.org/0xd4d/de4dot 5 | REM Decompile .NET libraries with JustDecompile http://blogs.telerik.com/justteam/posts/11-10-20/command-line-support-and-more-in-justdecompile.aspx 6 | REM Zip decompiled source code to netresources.zip -> Code Review 7 | REM Run strings against native libraries 8 | REM Export calleable functions with dllexp http://www.nirsoft.net/utils/dll_export_viewer.html -> Rundll32 9 | REM Export dependencies with depends http://www.dependencywalker.com/ 10 | REM Extract native resources with resourcesextract http://www.nirsoft.net/utils/resources_extract.html 11 | REM For jar files: 12 | REM Extract and combine java classes into javabins.jar 13 | REM Decompile with Procycon https://bitbucket.org/mstrobel/procyon/ --> javasources.zip for Code Review 14 | 15 | setlocal enabledelayedexpansion 16 | 17 | if [%1] equ [] goto :SYNTAX 18 | if [%1] equ [-h] goto :SYNTAX 19 | if [%1] equ [/?] goto :SYNTAX 20 | 21 | 22 | :SYNTAX 23 | echo ------------------------------------------------------------ 24 | echo Binaries Reverser (binrev) 25 | echo ------------------------------------------------------------ 26 | echo This script can be used to perform binary analysis and reversing of 27 | echo .NET, Java and native components 28 | echo ------------------------------------------------------------ 29 | echo Syntax: 30 | echo binrev [Source] [Destination] 31 | REM ####################################################### 32 | 33 | 34 | 35 | rem if %1= 36 | set justdecompile="JustDecompile\JustDecompile" 37 | set dllexp="dllexp\dllexp" 38 | set peverify=peverify 39 | set zip="7-Zip\7z" 40 | set strings="strings" 41 | set resextract="resourcesextract\ResourcesExtract" 42 | set de4dot="D:\Security\Tools\Reversing Tools\de4dot-2.0.3\de4dot" 43 | set java7="C:\Program Files (x86)\Java\jre7\bin\java" 44 | set procyon="procyon-decompiler-0.5.7.jar" 45 | 46 | mkdir %2\"net\decompiled" 47 | mkdir %2\"net\bin" 48 | mkdir %2\"net\deobs" 49 | mkdir %2\"java\decompiled" 50 | mkdir %2\"native\resextract" 51 | mkdir %2\"other" 52 | mkdir %2\"logs" 53 | 54 | echo Parsing Windows binaries (exe, dll) .... 55 | 56 | REM Export dependency with dpends 57 | REM Check for .NET libraries with peverify 58 | for /f "delims=*" %%a in ('dir /s /b %1\*.exe %1\*.dll') do ( 59 | REM http://stackoverflow.com/questions/10393248/get-filename-from-string-path 60 | for %%F in (%%a) do set fileName=%%~nxF 61 | %depends% /c /oc:"%2\logs\!fileName!".csv "%%a" 62 | %peverify% /MD /QUIET /IGNORE=0x80131b18 "%%a" > nul 63 | REM If .NET library 64 | if errorlevel 0 if not errorlevel 1 ( 65 | REM Export .NET project with justdecompile 66 | %justdecompile% /out "%2/net/decompiled" /target "%%a" 67 | copy "%%a" "%2\net\bin" >nul 68 | echo "%%a" >> %2\logs\decompiled_dlls.txt 69 | ) else ( 70 | copy "%%a" "%2\native" >nul 71 | echo "%%a" >> %2\logs\native_dlls.txt 72 | echo ===== "%%a" ====== >>%2\logs\strings.txt 73 | strings %%a >>%2\logs\strings.txt 74 | %resextract% /Source %%a /DestFolder "%2\native\resextract" 75 | 76 | ) 77 | ) 78 | 79 | REM Obfuscation detection 80 | %de4dot% -r %1 -ru -ro %2\net\deobs | find /I /V "unknown" >%2\logs\de4dot.txt 81 | for /f "delims=*" %%a in ('dir /s /b %2\net\deobs\*.exe %2\net\deobs\*.dll') do ( 82 | %justdecompile% /out "%2/net/decompiled" /target "%%a" 83 | ) 84 | 85 | %zip% a -r "%2\netsources.zip" "%CD%\%2\net\decompiled" >nul 86 | 87 | REM Export calleable function with dllexp 88 | echo Exporting native windows binaries calleable functions ... 89 | %dllexp% /from_files "%2\native\*.*" /scomma "%2\logs\export_functions.csv" 90 | 91 | REM Copy all jar files 92 | REM Extract them all to .class files (warning: duplicates may get deleted) 93 | REM Zip them back into a single archive. 94 | echo Copying jar files ... 95 | copy "%1\*.jar" "%2\java" >nul 96 | dir /s /b %1\*.jar > %2\logs\jars.txt 97 | %zip% x -ry -o"%2\java\bin" "%2\java" >nul 98 | %zip% a -r "%2\java\javabins.jar" "%CD%\%2\java\bin" >nul 99 | %java7% -jar %procyon% -jar "%2\java\javabins.jar" -o "%2\java\decompiled" > nul 100 | %zip% a -r "%2\javasources.zip" "%CD%\%2\java\decompiled" >nul 101 | del /F /S /Q "%2\java\bin" > nul 102 | 103 | --------------------------------------------------------------------------------