Binrev - Automate Reversing Windows Binaries For Pentesters

Binrev script to chain together tools to reverse-engineer Windows applications

Binrev is a script for reverse-engineering Windows applications.

It can do the following:
  • Static analysis: you can do a basic manual code review for decompiled sources to discover hidden communication channels, search for hard-coded passwords, or SQL injection vulnerabilities.
  • Import decompiled projects to an IDE to reconstruct and modify the original source code
  • Call hidden native exported functions with rundll32

Here is a rough description of what it does, and what tools it is using:

For exe, dll files:
  • Detect and de-obfuscate for .NET libraries with de4dot
  • Decompile .NET libraries with JustDecompile
  • Zip decompiled source code to netsources.zip
  • Run strings against native libraries
  • Export calleable functions with dllexp. You can then try to run those functions with command Rundll32 ,
  • Export dependencies with depends
  • Extract native resources with resourcesextract

For jar files:
  • Extract and combine java classes into a single zip file
  • Decompile java sources with procyon
  • Zip decompiled source code to javasources.zip

Requirements:

Usage:

1. Configure the correct path to the  installed tools in the script:
set justdecompile="JustDecompileJustDecompile" set dllexp="dllexpdllexp"
set peverify="peverify"
set zip="7-Zip7z"
set strings="strings"
set de4dot=" de4dot-2.0.3de4dot"
set java7="C:Program Files (x86)Javajre7binjava"
set procyon="procyon-decompiler-0.5.7.jar"

2. Run
Binrev [Source folder] [Output folder]

Output:

  • /java/decompiled: decompiled Java class files
  • /native: native win32 libraries
  • /native/resextract: native win32 resource files
  • /net/decompiled: decompiled .NET projects
  • /net/bin: .NET libraries and executables
  • /net/deobs: deobfuscated .NET libraries
  • /logs: strings on native libraries, exportable functions, dependencies, list of decompiled and native dlls
  • /other: unhandled file extensions




No comments

Powered by Blogger.