MalNetLib is a Python library for parsing PE files made with .NET
Project description
MalNetLib
MalNetLib is a Python library for parsing PE files made with .NET (based on dnlib).
Installation
Install the project :
$ git clone https://github.com/xanhacks/malnetlib
$ cd malnetlib
$ python3 -m pip install -r requirements.txt
Compile dnlib.dll
(required for the project) :
# Debian
$ sudo apt install -y dotnet-sdk-6.0
# Arch
$ sudo pacman -S dotnet-sdk-6.0
$ git clone --depth=1 https://github.com/0xd4d/dnlib
$ cd dnlib
$ dotnet build
$ cd ..
$ cp ./dnlib/Examples/bin/Debug/net6.0/dnlib.dll .
$ rm -rf dnlib
Examples
NjRAT
NJRat is a remote access trojan (RAT). You can use malnetlib
to extract the configuration of NjRAT which is stored inside .NET class attributes.
Here is an example with the a sample of NjRAT and the script njrat_extractor.py :
$ python3 njrat_extractor.py -h
usage: njrat_extractor.py [-h] sample
positional arguments:
sample Path to the sample file.
options:
-h, --help show this help message and exit
$ python3 njrat_extractor.py a04136fe0299b81fe404d9e5257c34e7.exe | jq
{
"host": "2.tcp.eu.ngrok.io",
"port": "10008",
"install_directory": "%TEMP%",
"install_name": "server.exe",
"startup": "Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"campain_id": "HacKed",
"version": "im523",
"network_separator": "|'|'|",
"mutex": "25ffb1a66b4748fe7537df7005cc8e55"
}
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
malnetlib-1.0.0.tar.gz
(3.0 kB
view hashes)