Skip to content

malwarefrank/dnfile

Repository files navigation

dnfile

https://img.shields.io/pypi/dm/dnfile

Parse .NET executable files.

  • Free software: MIT license

Features

  • Parse as much as we can, even if the file is partially malformed.
  • Easy to use. Developed with IDE autocompletion in mind.

Quick Start

pip install dnfile

Then create a simple program that loads a .NET binary, parses it, and displays information about the streams and Metadata Tables.

import sys
import dnfile

filepath = sys.argv[1]

pe = dnfile.dnPE(filepath)
pe.print_info()

Everything is an object, and raw structure values are stored in an object's "struct" attribute. The CLR directory entry object is accessible from the "net" attribute of a dnPE object.

import dnfile
import hashlib

pe = dnfile.dnPE(FILEPATH)

# access the directory entry raw structure values
pe.net.struct

# access the metadata raw structure values
pe.net.metadata.struct

# access the streams
for s in pe.net.metadata.streams_list:
    if isinstance(s, dnfile.stream.MetaDataTables):
        # how many Metadata tables are defined in the binary?
        num_of_tables = len(s.tables_list)

# the last Metadata tables stream can also be accessed by a shortcut
num_of_tables = len(pe.net.mdtables.tables_list)

# create a set to hold the hashes of all resources
res_hash = set()
# access the resources
for r in pe.net.resources:
    # if resource data is a simple byte stream
    if isinstance(r.data, bytes):
        # hash it and add the hash to the set
        res_hash.add(hashlib.sha256(r.data).hexdigest())
    # if resource data is a ResourceSet, a dotnet-specific datatype
    elif isinstance(r.data, dnfile.resource.ResourceSet):
        # if there are no entries
        if not r.data.entries:
            # skip it
            continue
        # for each entry in the ResourceSet
        for entry in r.data.entries:
            # if it has data
            if entry.data:
                # hash it and add the hash to the set
                res_hash.add(hashlib.sha256(entry.data).hexdigest())

TODO

  • more tests
  • Documentation on readthedocs

Credits

This package was created with Cookiecutter and the audreyr/cookiecutter-pypackage project template.