 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
|
|
|
|
||||||||||
|
||||||||||||||
|
||||||||||||||
|
#1
06-15-2009, 07:47 AM
|
|||
|
|||
Hepl to reconstruct EXE from memory dump for ILDASM etc...
Can anyone recommend a tool that will reconstruct a valid EXE/DLL from a memory dump that I can then use with normal ILDASM kind of tools to disassemble?
I'm sort of after a tool that can scan an arbitrary file and attempt to find dotnet executable stuff/sections and piece together and fixup what it can. I can see the "BSJB" magic number and also the "_CorExeMain\0mscoree.dll\0" sequence which is often at the end of the .text segment. I can even see what looks like a valid (but empty .reloc) section immediately after the end of (my guess at) the .text section. There will also be a .rsrc section in there somewhere but I've never needed to reveng it from a dump manually before, is there a MS specification on it ? Any magic numbers to look for ? I also see "beefcace" magic number a lot prefixing chunks of (small, ~80 bytes) stuff (dotnet XML like strings). Thanks 
|
|
#2
06-15-2009, 08:43 AM
|
|||
|
|||
|
You are looking for a generic code extraction tool of dumped assemblies. IMHO there is no such a tool so far. Depending on the protection you need to extract the code in a different way. The first step could be to use tools like "DotNet Id" to detect the corresponding protection.
FJ
|
Linear Mode
