├── README.md
└── binrev.bat


/README.md:
--------------------------------------------------------------------------------
 1 | Binrev- Automate reversing Windows binaries for pentesters
 2 | ============
 3 | 
 4 | Here is a rough description of what it does, and what tools it is using:
 5 | 
 6 | For exe, dll files:
 7 | -------------
 8 | 1.	Detect and de-obfuscate for .NET libraries with de4dot 
 9 | 2.	Decompile .NET libraries with JustDecompile 
10 | 3.	Zip decompiled source code to netsources.zip 
11 | 4.	Run strings against native libraries
12 | 5.	Export calleable functions with dllexp. You can then try to run those functions with command Rundll32 <dll>,<function name> 
13 | 6.	Export dependencies with depends 
14 | 7.	Extract native resources with resourcesextract 
15 | 
16 | For jar files: 
17 | -------------
18 | 1.	Extract and combine java classes into a single zip file
19 | 2.	Decompile java sources with procyon 
20 | 3.	Zip decompiled source code to javasources.zip
21 | 
22 | 
23 | Requirement
24 | ============
25 | 
26 | * .NET framework: http://www.microsoft.com/en-us/download/details.aspx?id=17851
27 | * Peverify: http://msdn.microsoft.com/en-us/library/62bwd2yd.aspx
28 | * Java 7: http://java.com/en/download/index.jsp
29 | * 7zip: http://www.7-zip.org/
30 | * De4dot: https://bitbucket.org/0xd4d/de4dot
31 | * JustDecompile: http://www.telerik.com/products/decompiler.aspx
32 | * Dll Export Viewer: http://www.nirsoft.net/utils/dll_export_viewer.html
33 | * Depends: http://www.dependencywalker.com/
34 | * Resources Extract: http://www.nirsoft.net/utils/resources_extract.html
35 | * Procyon https://bitbucket.org/mstrobel/procyon/wiki/Java%20Decompiler
36 | 
37 | 
38 | Usage
39 | ============
40 | 
41 | 1.	Configure correct path to installed tools in the script:
42 | ```
43 | set justdecompile="JustDecompile\JustDecompile"
44 | set dllexp="dllexp\dllexp"
45 | set peverify=peverify
46 | set zip="7-Zip\7z"
47 | set strings="strings"
48 | set de4dot=" de4dot-2.0.3\de4dot"
49 | set java7="C:\Program Files (x86)\Java\jre7\bin\java"
50 | set procyon="procyon-decompiler-0.5.7.jar"
51 | ```
52 | 
53 | 2.	Run
54 | 
55 | ```
56 | Binrev [Source folder] [Output folder]
57 | ```
58 | 
59 | Output
60 | ============
61 | * /java/decompiled: decompiled Java class files
62 | * /native: native win32 libraries
63 | * /native/resextract: native win32 resource files
64 | * /net/decompiled: decompiled .NET projects
65 | * /net/bin: .NET libraries and executables
66 | * /net/deobs: deobfuscated .NET libraries
67 | * /logs: strings on native libraries, exportable functions, dependencies, list of decompiled and native dlls
68 | * /other: unhandled file extensions


--------------------------------------------------------------------------------
/binrev.bat:
--------------------------------------------------------------------------------
  1 | @echo off
  2 | 
  3 | REM For exe, dll files:
  4 | 	REM Detect and de-obfuscate for .NET libraries with de4dot https://bitbucket.org/0xd4d/de4dot
  5 | 	REM Decompile .NET libraries with JustDecompile http://blogs.telerik.com/justteam/posts/11-10-20/command-line-support-and-more-in-justdecompile.aspx
  6 | 	REM Zip decompiled source code to netresources.zip -> Code Review
  7 | 	REM Run strings against native libraries
  8 | 	REM Export calleable functions with dllexp http://www.nirsoft.net/utils/dll_export_viewer.html -> Rundll32 
  9 |     REM Export dependencies with depends http://www.dependencywalker.com/
 10 | 	REM Extract native resources with resourcesextract http://www.nirsoft.net/utils/resources_extract.html
 11 | REM For jar files:
 12 | 	REM Extract and combine java classes into javabins.jar
 13 | 	REM Decompile with Procycon https://bitbucket.org/mstrobel/procyon/ --> javasources.zip for Code Review
 14 | 
 15 | setlocal enabledelayedexpansion
 16 | 
 17 | if [%1] equ [] goto :SYNTAX
 18 | if [%1] equ [-h] goto :SYNTAX
 19 | if [%1] equ [/?] goto :SYNTAX
 20 | 
 21 | 
 22 | :SYNTAX
 23 | echo ------------------------------------------------------------
 24 | echo             Binaries Reverser (binrev)
 25 | echo ------------------------------------------------------------
 26 | echo This script can be used to perform binary analysis and reversing of 
 27 | echo .NET, Java and native components
 28 | echo ------------------------------------------------------------
 29 | echo Syntax: 
 30 | echo binrev [Source] [Destination]
 31 | REM #######################################################
 32 | 
 33 | 
 34 | 
 35 | rem if %1=
 36 | set justdecompile="JustDecompile\JustDecompile"
 37 | set dllexp="dllexp\dllexp"
 38 | set peverify=peverify
 39 | set zip="7-Zip\7z"
 40 | set strings="strings"
 41 | set resextract="resourcesextract\ResourcesExtract"
 42 | set de4dot="D:\Security\Tools\Reversing Tools\de4dot-2.0.3\de4dot"
 43 | set java7="C:\Program Files (x86)\Java\jre7\bin\java"
 44 | set procyon="procyon-decompiler-0.5.7.jar"
 45 | 
 46 | mkdir %2\"net\decompiled"
 47 | mkdir %2\"net\bin"
 48 | mkdir %2\"net\deobs"
 49 | mkdir %2\"java\decompiled"
 50 | mkdir %2\"native\resextract"
 51 | mkdir %2\"other"
 52 | mkdir %2\"logs"
 53 | 
 54 | echo Parsing Windows binaries (exe, dll) ....
 55 | 
 56 | REM Export dependency with dpends
 57 | REM Check for .NET libraries with peverify
 58 | for /f   "delims=*" %%a in ('dir /s /b  %1\*.exe  %1\*.dll') do (
 59 | REM http://stackoverflow.com/questions/10393248/get-filename-from-string-path
 60 | for %%F in (%%a) do set fileName=%%~nxF
 61 | %depends% /c /oc:"%2\logs\!fileName!".csv "%%a"
 62 | %peverify% /MD /QUIET /IGNORE=0x80131b18 "%%a"  > nul
 63 | REM If .NET library
 64 | if errorlevel 0 if not errorlevel 1 (
 65 | REM Export .NET project with justdecompile
 66 | %justdecompile% /out "%2/net/decompiled" /target "%%a"
 67 | copy "%%a" "%2\net\bin" >nul
 68 | echo "%%a" >> %2\logs\decompiled_dlls.txt
 69 | ) else (
 70 | copy "%%a" "%2\native" >nul
 71 | echo "%%a" >> %2\logs\native_dlls.txt
 72 | echo ===== "%%a" ====== >>%2\logs\strings.txt
 73 | strings %%a >>%2\logs\strings.txt
 74 | %resextract% /Source %%a  /DestFolder "%2\native\resextract"
 75 | 
 76 | )
 77 | )
 78 | 
 79 | REM Obfuscation detection
 80 | %de4dot%  -r %1 -ru -ro  %2\net\deobs | find /I /V "unknown" >%2\logs\de4dot.txt
 81 | for /f   "delims=*" %%a in ('dir /s /b  %2\net\deobs\*.exe  %2\net\deobs\*.dll') do (
 82 | %justdecompile% /out "%2/net/decompiled" /target "%%a"
 83 | )
 84 | 
 85 | %zip% a -r  "%2\netsources.zip" "%CD%\%2\net\decompiled" >nul 
 86 | 
 87 | REM Export calleable function with dllexp
 88 | echo Exporting native windows binaries calleable functions ...
 89 | %dllexp% /from_files "%2\native\*.*" /scomma "%2\logs\export_functions.csv"
 90 | 
 91 | REM Copy all jar files
 92 | REM Extract them all to .class files (warning: duplicates may get deleted)
 93 | REM Zip them back into a single archive. 
 94 | echo Copying jar files ...
 95 | copy "%1\*.jar" "%2\java" >nul
 96 | dir /s /b  %1\*.jar > %2\logs\jars.txt 
 97 | %zip% x -ry -o"%2\java\bin" "%2\java" >nul
 98 | %zip% a -r  "%2\java\javabins.jar" "%CD%\%2\java\bin" >nul 
 99 | %java7% -jar %procyon% -jar "%2\java\javabins.jar" -o "%2\java\decompiled" > nul
100 | %zip% a -r  "%2\javasources.zip" "%CD%\%2\java\decompiled" >nul 
101 | del /F /S /Q "%2\java\bin" > nul
102 | 
103 | 


--------------------------------------------------------------------------------