GithubHelp home page GithubHelp logo

redquantum / get-pdinvokeimports Goto Github PK

View Code? Open in Web Editor NEW

This project forked from dump-guy/get-pdinvokeimports

0.0 0.0 0.0 3.93 MB

Get-PDInvokeImports is tool (PowerShell module) which is able to perform automatic detection of P/Invoke, Dynamic P/Invoke and D/Invoke usage in assembly. Showing all locations from where they are referenced and Exports all to DnSpy_Bookmarks.xml

PowerShell 100.00%

get-pdinvokeimports's Introduction

Get-PDInvokeImports

Description:

Get-PDInvokeImports is tool (PowerShell module) which is able to perform automatic detection of P/Invoke, Dynamic P/Invoke and D/Invoke usage in assembly. Showing all locations from where they are referenced and Exports all to DnSpy_Bookmarks.xml

This PS module could be useful and helpful during reversing .NET assemblies for fast revealing calls to unmanaged API functions used in assembly. Sometimes malware assemblies are full of junk code where the main functionality is implemented by direct WIN API or NTAPI calls.
Get-PDInvokeImports enables you to get fast overview what P/Invoke, Dynamic P/Invoke and D/Invoke are used in assembly - It will show you what functions are used + MDTokens, where are declared, and all location where are used from code.
It enables to export all locations where are detected P/Invoke, Dynamic P/Invoke and D/Invoke referenced from code to DnSpy Bookmarks.xml

Example: Imagine 1MB assembly full of junk code + CF obfuscation where main functionality is reached via unmanaged WinAPI\NTAPI calls.

This PS module is written in PowerShell and is fully compatible with Windows PowerShell (.NET Framework) and PowerShell Core (based on .NET, .NET Core). It uses dnlib to parse assembly and .NET reflection to load dnlib. Dnlib is available for .NET framework and .NET standard - simply means that one can use this PS module depending on dnlib on Windows and also Linux OS.

What is P/Invoke, Dynamic P/Invoke and D/Invoke?

Well very briefly said these are possible implementation how one can call unmanaged code from managed (simplified – can be used to call directly WinAPI/NTAPI from .NET)
Some of them are easier to implement, some of them are better avoiding AV detection and hooking.

More information:

P/Invoke - [PInvoke]
D/Invoke - [DInvoke]
Dynamic P/Invoke - [Dynamic PInvoke]

Installation:

[Releases] contains already compiled dnlib for specified platform + script Get-PDInvokeImports.ps1.
Windows – Download [release] (Use from Windows PowerShell or PowerShell Core)
Linux – Download [release] (Use from PowerShell Core)

If needed - compile dnlib on your own (Windows – .NET Framework, Linux-netstandard)

Usage:

Video: [YouTube]

[PARAMETER] -PathToAssembly

Mandatory parameter.
Specifies the Assembly path to scan.

[PARAMETER] -PathToDnlib

Optional parameter.
System Path to dnlib.dll.

If PowerShell is running from the location of dnlib.dll - this parameter could be ignored otherwise specify this parameter.

[PARAMETER] -ExportDnSpyBookmarks

Optional parameter.
Used to export all detected P/Invoke, Dynamic P/Invoke and D/Invoke locations referenced from code to DnSpy Bookmarks XML file (DnSpy_Bookmarks.xml)

Similar to DnSpy-Analyze-UsedBy (Nice overview where all PInvoke and DInvoke are used in whole code)

So it is possible to import it to DnSpy via Bookmarks Window (DnSpy -> View -> Bookmarks -> Bookmark Window -> Import bookmarks from file -> select DnSpy_Bookmarks.xml)

[EXAMPLES]

PS> Import-Module .\Get-PDInvokeImports.ps1
PS> Get-PDInvokeImports -PathToAssembly 'C:\testfiles\malware.exe'
PS> Get-PDInvokeImports -PathToAssembly .\malware.exe –ExportDnSpyBookmarks
PS> Get-PDInvokeImports -PathToAssembly 'C:\testfiles\malware.exe' -PathToDnlib "C:\dnlib.dll" –ExportDnSpyBookmarks

Linux Examples:

Windows Examples:

Remarks

Detection should be robust enough to defeat some common obfuscations..
Tested with most common obfuscators like SmartAssembly, ConfuserEx etc.

Detection internals: P/Invoke is detected via PinvokeImpl attribute which has to be always presented.
D/Invoke is detected via "UnmanagedFunctionPointerAttribute" attribute and "CallingConvention" (This could be defeated under certain circumstances – but I leave it for RedTeam imagination (I will beat you anyway)
Dynamic P/Invoke detection is based on finding methodX referencing DefinePInvokeMethod() + all methodsY referencing methodX.

Dependecies:

[dnlib] (.NET metadata reader/writer which can also read obfuscated assemblies)
[DnSpyEx - optional]

get-pdinvokeimports's People

Contributors

dump-guy avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.