dnfile icon indicating copy to clipboard operation
dnfile copied to clipboard
verified publisher icon malwarefrank

Request to add additional resource type support

Open R3MRUM opened this issue 3 years ago • 1 comments

Requesting that you add the ability to parse BMP images stored as entries within the .NET resources.

Sample: https://www.virustotal.com/gui/file/0a5dc3b6669cf31e8536c59fe1315918eb4ecfd87998445e2eeb8fed64bd2f2c

dnfile properly identified the resource names and types but the data property is NoneType. Attached is the output from the following code:

pe = dnfile.dnPE(filepath)
for r in pe.net.resources:
    if r.name == “20a87df82283.Resources.resources”:
        for entry in r.data.entries:
            print(f”{r.name}: {entry.name} - {type(entry.data)}“)
            print(entry.__dict__)
            print(entry.struct.__dict__)

image

I know that the open-source project dnSpy does an excellent job of parsing this resource type from .NET executables so maybe some of that logic can be ported into this project.

https://github.com/dnSpyEx/dnSpy

https://github.com/dnSpyEx/dnSpy/blob/master/Extensions/dnSpy.BamlDecompiler/Baml/KnownTypes.cs

https://github.com/dnSpy/dnSpy/blob/2b6dcfaf602fb8ca6462b8b6237fdfc0c74ad994/dnSpy/dnSpy.Contracts.DnSpy/Documents/TreeView/Resources/SerializedImageListStreamerUtilities.cs#L45-L63

https://github.com/dnSpy/dnSpy/blob/2b6dcfaf602fb8ca6462b8b6237fdfc0c74ad994/dnSpy/dnSpy.Contracts.DnSpy/Documents/TreeView/Resources/SerializedImageListStreamerUtilities.cs#L73-L98

Could possibly use this code to dramatically increate support for other types at the same time.

R3MRUM avatar May 18 '22 18:05 R3MRUM

dnSpyEx is using .NET-specific deserializers, so we would still have to figure out how to implement it in Python. I am looking into System.Drawing.Bitmap, but this may take a while

malwarefrank avatar Jun 07 '22 02:06 malwarefrank