I made a script to chain together some common tools to reverse-engineer Windows applications. It has come in handy for me in several situations when an application contains hundreds of assemblies written in native C, .NET or Java.
What you can do with this?
- Static analysis: you can do a basic manual code review for decompiled sources to discover hidden communication channels, search for hard-coded passwords, or SQL injection vulnerabilities.
- Import decompiled projects to an IDE to reconstruct and modify the original source code
- Call hidden native exported functions with rundll32
Here is a rough description of what it does, and what tools it is using:
- For exe, dll files:
- Detect and de-obfuscate for .NET libraries with de4dot
- Decompile .NET libraries with JustDecompile
- Zip decompiled source code to netsources.zip
- Run strings against native libraries
- Export call-able functions with dllexp. You can then try to run those functions with command Rundll32 <dll>,<function name>
- Export dependencies with depends
- Extract native resources with resourcesextract
- For jar files:
- Extract and combine java classes into a single zip file
- Decompile java sources with procyon
- Zip decompiled source code to javasources.zip
Requirements
- .NET framework
- Peverify
- Java 7
- 7zip
- De4dot
- JustDecompile
- Dll Export Viewer
- Depends
- Resources Extract
- Procyon
Usage
1. Configure the correct path to the installed tools in the script:
set justdecompile="JustDecompileJustDecompile" set dllexp="dllexpdllexp" set peverify=”peverify” set zip="7-Zip7z" set strings="strings" set de4dot=" de4dot-2.0.3de4dot" set java7="C:Program Files (x86)Javajre7binjava" set procyon="procyon-decompiler-0.5.7.jar"
2. Run
Binrev [Source folder] [Output folder] Output /java/decompiled: decompiled Java class files /native: native win32 libraries /native/resextract: native win32 resource files /net/decompiled: decompiled .NET projects /net/bin: .NET libraries and executables /net/deobs: deobfuscated .NET libraries /logs: strings on native libraries, exportable functions, dependencies, list of decompiled and native dlls /other: unhandled file extensions
The script is available at https://github.com/NetSPI/binrev
Explore More Blog Posts
I’m Just Asking Questions: Social Engineering as a Reporter
Dive into this real-world social engineering assessment where a fake anonymous tip and an adversary-in-the-middle framework tested the limits of an organization's security policies.
Beyond the Hype: What Regulated Industries Need to Know Before Trusting AI Security Tooling
AI security tools can build an attack, but enterprise security teams in regulated industries need consistency, auditability, and predictable costs before they can trust one. Learn why the surrounding infrastructure is where most AI security vendors are still falling short.
Splunk Enterprise Unauthenticated Arbitrary File Operations/RCE (CVE-2026-20253): Overview and Takeaways
Splunk disclosed CVE-2026-20253 on June 10, 2026, affecting Splunk Enterprise versions in the 10.0.x and 10.2.x branches. The flaw stems from a PostgreSQL sidecar service endpoint that completely lacks authentication controls (CWE-306), allowing any network-reachable attacker to invoke arbitrary file creation or truncation operations without credentials.