├── .gitignore
├── LICENSE
├── README.md
├── getnetguids.py
└── setup.py


/.gitignore:
--------------------------------------------------------------------------------
 1 | # Byte-compiled / optimized / DLL files
 2 | __pycache__/
 3 | *.py[cod]
 4 | 
 5 | .idea
 6 | 
 7 | # C extensions
 8 | *.so
 9 | 
10 | # Distribution / packaging
11 | .Python
12 | env/
13 | build/
14 | develop-eggs/
15 | dist/
16 | downloads/
17 | eggs/
18 | lib/
19 | lib64/
20 | parts/
21 | sdist/
22 | var/
23 | *.egg-info/
24 | .installed.cfg
25 | *.egg
26 | 
27 | # PyInstaller
28 | #  Usually these files are written by a python script from a template
29 | #  before PyInstaller builds the exe, so as to inject date/other infos into it.
30 | *.manifest
31 | *.spec
32 | 
33 | # Installer logs
34 | pip-log.txt
35 | pip-delete-this-directory.txt
36 | 
37 | # Unit test / coverage reports
38 | htmlcov/
39 | .tox/
40 | .coverage
41 | .cache
42 | nosetests.xml
43 | coverage.xml
44 | 
45 | # Translations
46 | *.mo
47 | *.pot
48 | 
49 | # Django stuff:
50 | *.log
51 | 
52 | # Sphinx documentation
53 | docs/_build/
54 | 
55 | # PyBuilder
56 | target/
57 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2015 CylanceSPEAR
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 
23 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # GetNETGUIDs
 2 | 
 3 | A tool to extract GUIDs from .NET assemblies to help identify the projects they belong to.
 4 | 
 5 | http://blog.cylance.com/you-me-and-.net-guids
 6 | 
 7 | ## Help Menu
 8 | 
 9 | ```
10 | $ getnetguids -h
11 | usage: getnetguids [-h] [-v] [-r] [-c] [path [path ...]]
12 | 
13 | Extracts Typelib IDs and MVIDs from .NET assemblies.
14 | 
15 | positional arguments:
16 |   path             Paths to files or directories to scan
17 | 
18 | optional arguments:
19 |   -h, --help       show this help message and exit
20 |   -v, --version    show program's version number and exit
21 |   -r, --recursive  Scan paths recursively
22 |   -c, --csv        Save to CSV
23 | 
24 | getnetguids v1.4.2 by Brian Wallace (@botnet_hunter)
25 | 
26 | ```
27 | 


--------------------------------------------------------------------------------
/getnetguids.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python2
  2 | import pefile
  3 | import struct
  4 | import re
  5 | import datetime
  6 | import csv
  7 | import hashlib
  8 | 
  9 | guid_regex = re.compile("[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}")
 10 | 
 11 | 
 12 | def format_guid_from_hex(hex_string):
 13 |     first = hex_string[6:8] + hex_string[4:6] + hex_string[2:4] + hex_string[:2]
 14 |     second = hex_string[10:12] + hex_string[8:10]
 15 |     third = hex_string[14:16] + hex_string[12:14]
 16 |     return "{0}-{1}-{2}-{3}-{4}".format(first, second, third, hex_string[16:20], hex_string[20:])
 17 | 
 18 | 
 19 | def read_blob(blob):
 20 |     if len(blob) == 0:
 21 |         return ""
 22 |     first_byte = ord(blob[0])
 23 |     if first_byte & 0x80 == 0:
 24 |         # easy one
 25 |         raw_string = blob[1:][:first_byte]
 26 |         length_determined_string = raw_string[2:][:-2]
 27 |         if len(length_determined_string) != 0:
 28 |             return length_determined_string[1:]
 29 |         return length_determined_string
 30 |     # Our string is not very long
 31 |     return ""
 32 | 
 33 | 
 34 | def is_dot_net_assembly(pe):
 35 |     return pe.OPTIONAL_HEADER.DATA_DIRECTORY[14].VirtualAddress != 0
 36 | 
 37 | 
 38 | def get_assembly_guids(assembly_path):
 39 |     try:
 40 |         try:
 41 |             pe = pefile.PE(assembly_path)
 42 | 
 43 |             txt_start = None
 44 |             txt_end = None
 45 |             for section in pe.sections:
 46 |                 if section.Name.startswith(".text\x00"):
 47 |                     txt_start = section.PointerToRawData
 48 |                     txt_end = txt_start + section.SizeOfRawData
 49 |         except pefile.PEFormatError:
 50 |             return None
 51 |         if not is_dot_net_assembly(pe):
 52 |             return None
 53 |             
 54 |         #Compile TimeDateStamp
 55 |         try:
 56 |             compiled = get_compiletime(pe)
 57 |         except Exception:
 58 |             compiled = "Error"
 59 | 
 60 |         # Removed strict parsing and opted for simple searching method to support malformed assemblies
 61 |         with open(assembly_path, "rb") as assembly_file_handler:
 62 |             file_data = assembly_file_handler.read()
 63 | 
 64 |         text_section = file_data[txt_start:][:txt_end]
 65 | 
 66 | 
 67 |         mdo = pe.get_offset_from_rva(struct.unpack("<IHHI", text_section[8:][:12])[-1])
 68 | 
 69 |         if mdo < txt_start:
 70 |             offsets_to_test = [mdo]
 71 |         else:
 72 |             offsets_to_test = [mdo - txt_start]
 73 | 
 74 |         offsets_to_test.extend([l.start() for l in re.finditer("\x42\x53\x4a\x42", text_section)][::-1])
 75 | 
 76 |         del file_data
 77 | 
 78 |         for i_offset in offsets_to_test:
 79 |             i = text_section[i_offset:]
 80 |             try:
 81 |                 if "\x42\x53\x4a\x42" not in i:
 82 |                     continue
 83 |                 if not i.startswith("\x42\x53\x4a\x42"):
 84 |                     continue
 85 |                 meta_data_offset = i.find("\x42\x53\x4a\x42")
 86 |                 clr_version_length = struct.unpack("<I", i[meta_data_offset + 12:meta_data_offset + 16])[0]
 87 |                 try:
 88 |                     stream_count = struct.unpack("<H", i[meta_data_offset + clr_version_length +
 89 |                                                          18:meta_data_offset + clr_version_length + 20])[0]
 90 |                 except struct.error:
 91 |                     continue
 92 |                 current_offset = meta_data_offset + clr_version_length + 20
 93 |                 heaps = {}
 94 |                 for c in xrange(stream_count):
 95 |                     offset = struct.unpack("<I", i[current_offset:current_offset + 4])[0]
 96 |                     size = struct.unpack("<I", i[current_offset + 4:current_offset + 8])[0]
 97 |                     current_offset += 8
 98 |                     name = ""
 99 |                     while "\x00" not in name:
100 |                         name += i[current_offset:current_offset + 4]
101 |                         current_offset += 4
102 |                     name = name.strip("\x00")
103 |                     # print "{0} at {1}, {2} bytes".format(name, offset, size)
104 |                     heaps[name] = i[meta_data_offset + offset:meta_data_offset + offset + size]
105 |                     # if len(heaps[name]) != size:
106 |                     #    raise
107 | 
108 |                 try:
109 |                     extracted_mvid = format_guid_from_hex(heaps["#GUID"][:16].encode("hex"))
110 |                 except KeyError:
111 |                     return {}
112 | 
113 |                 tilde = heaps["#~"]
114 | 
115 |                 if tilde is not None:
116 |                     # print "Reserved: {0}".format([tilde[0:4]])
117 |                     # print "Major: {0}".format([tilde[4:5]])
118 |                     # print "Minor: {0}".format([tilde[5:6]])
119 | 
120 |                     # print "Heap offset indication: {0}".format([tilde[6:7]])
121 |                     strings_heap_index_length = 2 if ord(tilde[6:7]) & 0x01 == 0x00 else 4
122 |                     guid_heap_index_length = 2 if ord(tilde[6:7]) & 0x02 == 0x00 else 4
123 |                     blob_heap_index_length = 2 if ord(tilde[6:7]) & 0x04 == 0x00 else 4
124 | 
125 |                     # print "Reserved 0x01: {0}".format([tilde[7:8]])
126 |                     # print "Table list: {0}".format([tilde[8:16]])
127 | 
128 |                     tables_present = [x == "1" for x in bin(struct.unpack("<Q", tilde[8:16])[0])[2:][::-1]]
129 |                     # tables_present_count = len([a for a in tables_present if a])
130 |                     # print "Tables present count: {0}".format(tables_present_count)
131 | 
132 |                     # print "Which tables are sorted list: {0}".format([tilde[16:24]])
133 | 
134 |                     row_counts = [0] * 64
135 |                     t_offset = 24
136 |                     for index in xrange(len(tables_present)):
137 |                         if index < len(tables_present) and tables_present[index]:
138 |                             row_counts[index] = struct.unpack("<I", tilde[t_offset:t_offset + 4])[0]
139 |                             t_offset += 4
140 | 
141 |                     has_custom_attribute_tables = [
142 |                         0x06, 0x04, 0x01, 0x02, 0x08, 0x09, 0x0A, 0x00,
143 |                         0x0E, # Permission aka DeclSecurity (typo in the spec)
144 |                         0x17, 0x14, 0x11, 0x1A, 0x1B, 0x20, 0x23, 0x26,
145 |                         0x27, 0x2A, 0x2C, 0x2B
146 |                     ]
147 |                     custom_attribute_type_tables = [0x06, 0x0A]
148 |                     resolution_scope_tables = [0x00, 0x1A, 0x23, 0x01]
149 |                     type_def_or_ref_tables = [0x02, 0x01, 0x1B]
150 |                     member_ref_tables = [0x02, 0x01, 0x1A, 0x06, 0x1B]
151 | 
152 |                     big_has_custom_attribute = any([row_counts[x] >= 2**(16 - 5) for x in has_custom_attribute_tables])
153 |                     big_custom_attribute_type = any([row_counts[x] >= 2**(16 - 3) for x in custom_attribute_type_tables])
154 |                     big_resolution_scope = any([row_counts[x] >= 2**(16 - 2) for x in resolution_scope_tables])
155 |                     big_type_def_or_ref = any([row_counts[x] >= 2**(16 - 2) for x in type_def_or_ref_tables])
156 |                     big_member_ref_parent = any([row_counts[x] >= 2**(16 - 3) for x in member_ref_tables])
157 | 
158 |                     # Build row length for each type up to CustomAttr
159 |                     row_type_widths = [
160 |                         # 0x00 Module = Generation (2 bytes) + Name (String heap index) + Mvid (Guid heap index) +
161 |                         # EncId (Guid heap index) + EncBaseId (Guid heap index)
162 |                         2 + strings_heap_index_length + (guid_heap_index_length * 3),
163 | 
164 |                         # 0x01 TypeRef = ResolutionScope (ResolutionScope index) + TypeName (String heap) +
165 |                         # TypeNamespace (String heap)
166 |                         (4 if big_resolution_scope else 2) + (strings_heap_index_length * 2),
167 |                         # 0x02 TypeDef = Flags(2 bytes) + TypeName(String heap index) +TypeNamespace(String heap index)+
168 |                         # Extends (TypeDefOrRef index) + FieldList (index into field table) +
169 |                         # MethodList (index into MethodDef table) + ?
170 |                         8 + (4 if big_type_def_or_ref else 2) + (strings_heap_index_length * 2),
171 |                         0,  # 0x03 None
172 |                         # 0x04 Field = Flags (2 bytes) + Name (String heap index) + Signature (Blob heap index)
173 |                         2 + strings_heap_index_length + blob_heap_index_length,
174 |                         0,  # 0x05 None
175 |                         # 0x06 MethodDef = RVA(4 bytes) + ImplFlags(2 bytes) + Flags(2 bytes) + Name(String heap index)+
176 |                         # Signature (Blob heap index) + ParamList (index to param table)
177 |                         10 + strings_heap_index_length + blob_heap_index_length,
178 |                         0,  # 0x07 None
179 |                         # 0x08 Param = Flags (2 bytes) + Sequence (2 bytes) + Name (String heap index)
180 |                         4 + strings_heap_index_length,
181 |                         # 0x09 InterfaceImpl = Class (TypeDef index) + Interface (TypeDefOrRef index)
182 |                         2 + (4 if big_type_def_or_ref else 2),
183 |                         # 0x0a MemberRef = Class(MemberRefParent) + Name(String heap index) + Signature(Blob heap index)
184 |                         (4 if big_member_ref_parent else 2) + strings_heap_index_length + blob_heap_index_length,
185 |                         # 0x0b Constant = Type (?) + Parent + Value (Blob heap index)
186 |                         4 + blob_heap_index_length,
187 |                         # 0x0c CustomAttr = Parent + Type (CustomAttributeType) + Value (Blob heap index)
188 |                         (4 if big_has_custom_attribute else 2) + (4 if big_custom_attribute_type else 2) + blob_heap_index_length,
189 |                         # Don't care about the rest
190 |                     ]
191 | 
192 |                     for index in xrange(0x0c):
193 |                         t_offset += row_type_widths[index] * row_counts[index]
194 | 
195 |                     for index in xrange(row_counts[0x0c]):
196 |                         # In the most strict interpretation, a typelib id is expressed as a
197 |                         # GuidAttribute on the current assembly.
198 |                         # To check that it's actually a GuidAttribute we'd have to support parsing
199 |                         # .NET signatures, so it's safer to assume a MemberRef attribute owned by a
200 |                         # TypeRef on an AssemblyRow with a value matching a guid is PROBABLY the typelib id
201 | 
202 |                         row_offset = t_offset
203 | 
204 |                         if big_has_custom_attribute:
205 |                             parent_index = struct.unpack("<I", tilde[row_offset:row_offset + 4])[0]
206 |                             row_offset += 4
207 |                         else:
208 |                             parent_index = struct.unpack("<H", tilde[row_offset:row_offset + 2])[0]
209 |                             row_offset += 2
210 | 
211 |                         if big_custom_attribute_type:
212 |                             type_index = struct.unpack("<I", tilde[row_offset:row_offset + 4])[0]
213 |                             row_offset += 4
214 |                         else:
215 |                             type_index = struct.unpack("<H", tilde[row_offset:row_offset + 2])[0]
216 |                             row_offset += 2
217 | 
218 |                         parent_index_table = parent_index & 0x1f
219 |                         type_index_table = type_index & 0x07
220 | 
221 |                         # We only really care if the parent is an Assembly and the attribute is constructed
222 |                         # using a MemberRef. MemberRef because a MethodDef is never going to be used for a
223 |                         # GuidAttribute. This is because GuidAttribute is from mscorlib, so always an external
224 |                         # assembly, so always reached via TypeRef/MemberRef.
225 |                         if parent_index_table == 0x0e and type_index_table == 0x03:
226 |                             if blob_heap_index_length == 2:
227 |                                 blob_index = struct.unpack("<H", tilde[row_offset:row_offset + 2])[0]
228 |                                 row_offset += 2
229 |                             else:
230 |                                 blob_index = struct.unpack("<I", tilde[row_offset:row_offset + 4])[0]
231 |                                 row_offset += 4
232 | 
233 |                             data_value = read_blob(heaps["#Blob"][blob_index:])
234 |                             if guid_regex.match(data_value):
235 |                                 return {"mvid": extracted_mvid.lower(), "typelib_id": data_value.lower(), "compiled": compiled}
236 |                         t_offset += row_type_widths[0x0c]
237 |                     return {"mvid": extracted_mvid.lower(), "compiled": compiled}
238 |             except KeyboardInterrupt:
239 |                 raise
240 |             except:
241 |                 pass
242 |     except KeyboardInterrupt:
243 |         raise
244 |     except:
245 |         return {}
246 |     return {}
247 | 
248 | 
249 | if __name__ == "__main__":
250 |     from argparse import ArgumentParser
251 | 
252 |     version = "1.4.2"
253 | 
254 |     parser = ArgumentParser(
255 |         prog=__file__,
256 |         description="Extracts Typelib IDs and MVIDs from .NET assemblies.",
257 |         version="%(prog)s v" + version + " by Brian Wallace (@botnet_hunter)",
258 |         epilog="%(prog)s v" + version + " by Brian Wallace (@botnet_hunter)"
259 |     )
260 |     parser.add_argument('path', metavar='path', type=str, nargs='*', default=[],
261 |                         help="Paths to files or directories to scan")
262 |     parser.add_argument('-r', '--recursive', default=False, required=False, action='store_true',
263 |                         help="Scan paths recursively")
264 |     parser.add_argument('-c', '--csv', default=False, required=False, action='store_true',
265 |                         help="Save to CSV")
266 | 
267 |     args = parser.parse_args()
268 | 
269 |     if args.path is None or len(args.path) == 0:
270 |         if not args.stdin:
271 |             parser.print_help()
272 |             exit()
273 | 
274 |     from os.path import isfile, isdir, join, abspath
275 |     from glob import iglob
276 | 
277 |     def scan_paths(paths, recursive):
278 |         while len(paths) != 0:
279 |             temporary_file_path = abspath(paths[0])
280 |             del paths[0]
281 |             if isfile(temporary_file_path):
282 |                 yield temporary_file_path, get_assembly_guids(temporary_file_path)
283 |             elif isdir(temporary_file_path):
284 |                 for p in iglob(join(temporary_file_path, "*")):
285 |                     p = join(temporary_file_path, p)
286 |                     if isdir(p) and recursive:
287 |                         paths.append(p)
288 |                     if isfile(p):
289 |                         yield p, get_assembly_guids(p)
290 |     def get_compiletime(pe):
291 |         return datetime.datetime.fromtimestamp(pe.FILE_HEADER.TimeDateStamp)
292 |         
293 |     if args.csv:
294 |         theCSV = open('out.csv', 'wt')
295 |         writer=csv.writer(theCSV)
296 |         writer.writerow(('TYPELIB', 'MVID', 'HASH', 'COMPILED', 'PATH'))
297 |     else:
298 |         print "{0}\t\t\t\t\t{1}\t\t\t\t\t{2}\t\t\t\t\t{3}\t\t{4}".format('TYPELIB', 'MVID', 'HASH', 'COMPILED', 'PATH')
299 |     
300 |     for file_path, result in scan_paths(args.path, args.recursive):
301 |         if result is None:
302 |             continue
303 |         try:
304 |             typelib_id = result["typelib_id"]
305 |         except KeyError:
306 |             typelib_id = "None\t\t\t\t"
307 |         try:
308 |             mvid = result["mvid"]
309 |         except KeyError:
310 |             # Potentially should log these results as they should at least have an MVID
311 |             continue
312 |         try:
313 |             compiled = result["compiled"]
314 |         except KeyError:
315 |             compiled = "None\t\t\t\t\t"
316 |             
317 |         with open(file_path, 'rb') as f:
318 |             s = hashlib.sha256(f.read()).hexdigest()
319 |             
320 |         if args.csv:
321 |             writer.writerow((typelib_id, mvid, s, compiled, file_path))
322 |         else:
323 |             print "{0}\t{1}\t{2}\t{3}\t{4}".format(typelib_id, mvid, s, compiled, file_path)
324 |             
325 |     if args.csv:        
326 |         theCSV.close()
327 | 


--------------------------------------------------------------------------------
/setup.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python2
 2 | 
 3 | from distutils.core import setup
 4 | 
 5 | setup(name='getnetguids',
 6 |       version='1.4.2',
 7 |       description='Extracts Typelib IDs and MVIDs from .NET assemblies.',
 8 |       author='Brian Wallace',
 9 |       url='https://github.com/bwall/getnetguids',
10 |       py_modules=['getnetguids'],
11 |       scripts=['getnetguids.py'],
12 |       install_requires=['pefile', 'argparse'],
13 |      )
14 | 


--------------------------------------------------------------------------------