Back

Binrev- Automate Reversing Windows Binaries for Pentesters

September 9, 2013 | Khai Tran

I made a script to chain together some common tools to reverse-engineer Windows applications. It has come in handy for me in several situations when an application contains hundreds of assemblies written in native C, .NET or Java.

What you can do with this?

Static analysis: you can do a basic manual code review for decompiled sources to discover hidden communication channels, search for hard-coded passwords, or SQL injection vulnerabilities.
Import decompiled projects to an IDE to reconstruct and modify the original source code
Call hidden native exported functions with rundll32

Here is a rough description of what it does, and what tools it is using:

For exe, dll files:
- Detect and de-obfuscate for .NET libraries with de4dot
- Decompile .NET libraries with JustDecompile
- Zip decompiled source code to netsources.zip
- Run strings against native libraries
- Export call-able functions with dllexp. You can then try to run those functions with command Rundll32 <dll>,<function name>
- Export dependencies with depends
- Extract native resources with resourcesextract

For jar files:
- Extract and combine java classes into a single zip file
- Decompile java sources with procyon
- Zip decompiled source code to javasources.zip

Requirements

Usage

1. Configure the correct path to the installed tools in the script:

set justdecompile="JustDecompileJustDecompile" set dllexp="dllexpdllexp"
set peverify=”peverify”
set zip="7-Zip7z"
set strings="strings"
set de4dot=" de4dot-2.0.3de4dot"
set java7="C:Program Files (x86)Javajre7binjava"
set procyon="procyon-decompiler-0.5.7.jar"

2. Run

Binrev [Source folder] [Output folder]
Output
/java/decompiled: decompiled Java class files
/native: native win32 libraries
/native/resextract: native win32 resource files
/net/decompiled: decompiled .NET projects
/net/bin: .NET libraries and executables
/net/deobs: deobfuscated .NET libraries
/logs: strings on native libraries, exportable functions, dependencies, list of decompiled and native dlls
/other: unhandled file extensions

The script is available at https://github.com/NetSPI/binrev

Khai Tran

Recent Posts

                                                        <img width="832" height="451" src="https://www.netspi.com/wp-content/uploads/03-28-24_Azure-Site-Discovery_Feature-Image.jpg" alt="Elevating Privileges with Azure Site Recovery Services">												
                                                    
                                                            Technical BlogCloud Penetration Testing                                                        
March 28, 2024

                                                            Elevating Privileges with Azure Site Recovery Services
                                                        
                                                                                <img data-del="avatar" src='https://www.netspi.com/wp-content/uploads/Joshua-Murrell-150x150.jpg' class='avatar pp-user-avatar avatar-96 photo ' height='96' width='96'/>                                                                                  
                                                                        
                                                        <img width="832" height="451" src="https://www.netspi.com/wp-content/uploads/03-20-24_Blockchain-Technical-Blog_Feature-Image.jpg" alt="Web2 Bugs in Web3 Systems">												
                                                    
                                                            Technical BlogBlockchain Penetration Testing                                                        
March 19, 2024

                                                            Web2 Bugs in Web3 Systems
                                                        
                                                                                <img data-del="avatar" src='https://www.netspi.com/wp-content/uploads/2017/09/netspi-150x150.png' class='avatar pp-user-avatar avatar-96 photo ' height='96' width='96'/>                                                                                  
                                                                        
                                                        <img width="832" height="451" src="https://www.netspi.com/wp-content/uploads/03-14-24_Azure-Deployment-Scripts_Karl_Feature-Image.jpg" alt="Azure Deployment Scripts: Assuming User-Assigned Managed Identities">												
                                                    
                                                            Technical BlogCloud Penetration Testing                                                        
March 14, 2024

                                                            Azure Deployment Scripts: Assuming User-Assigned Managed Identities
                                                        
                                                                                <img data-del="avatar" src='https://www.netspi.com/wp-content/uploads/Karl-Fosaaen_Web-150x150.jpg' class='avatar pp-user-avatar avatar-96 photo ' height='96' width='96'/>

Name	Domain	Purpose	Expiry	Type
VISITOR_INFO1_LIVE	youtube.com	YouTube cookie.	6 months	HTTP
Test	test.com	Testing	7 days	HTTP

Featured

Binrev- Automate Reversing Windows Binaries for Pentesters

What you can do with this?

Requirements

Usage

Recent Posts

Elevating Privileges with Azure Site Recovery Services

Web2 Bugs in Web3 Systems

Azure Deployment Scripts: Assuming User-Assigned Managed Identities

Services

Resources

Company

Get in Touch