# MalNetLib
MalNetLib is a Python library for parsing PE files made with .NET (based on [dnlib](https://github.com/0xd4d/dnlib)).
## Installation
Install the library (available on [pypi.org](https://pypi.org/project/malnetlib/)):
```bash
$ python3 -m pip install malnetlib
```
Compile `dnlib.dll` (required for the project) :
```bash
# Debian
$ sudo apt install -y dotnet-sdk-6.0
# Arch
$ sudo pacman -S dotnet-sdk-6.0
$ git clone --depth=1 https://github.com/0xd4d/dnlib
$ cd dnlib
$ dotnet build
$ cd ..
$ cp ./dnlib/Examples/bin/Debug/net6.0/dnlib.dll .
$ rm -rf dnlib
```
## Examples
### NjRAT
> [NjRAT](https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat) is a remote access trojan (RAT).
You can use `malnetlib` to extract the configuration of NjRAT which is stored inside .NET class attributes. Here is an example with the a sample of [NjRAT](https://tria.ge/230101-1z3k8sfh8v) and the script [njrat_extractor.py](https://github.com/xanhacks/malnetlib/blob/main/examples/njrat_extractor.py) :
```python
pe = DotNetPE(args.sample)
ok_class = pe.get_object("OK")
njrat_conf = {
"host": ok_class.get_attribute("HH").get_value(),
"port": ok_class.get_attribute("P").get_value(),
"install_directory": "%" + ok_class.get_attribute("DR").get_value() + "%",
"install_name": ok_class.get_attribute("EXE").get_value(),
"startup": ok_class.get_attribute("sf").get_value(),
"campain_id": b64decode(ok_class.get_attribute("VN").get_value()).decode("UTF-8"),
"version": ok_class.get_attribute("VR").get_value(),
"network_separator": ok_class.get_attribute("Y").get_value(),
"mutex": ok_class.get_attribute("RG").get_value()
}
print(dumps(njrat_conf))
```
```json
{
"host": "2.tcp.eu.ngrok.io",
"port": "10008",
"install_directory": "%TEMP%",
"install_name": "server.exe",
"startup": "Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"campain_id": "HacKed",
"version": "im523",
"network_separator": "|'|'|",
"mutex": "25ffb1a66b4748fe7537df7005cc8e55"
}
```
### vw0rm
> [VJW0rm](https://malpedia.caad.fkie.fraunhofer.de/details/win.vjw0rm) (aka Vengeance Justice Worm) is a publicly available, modular JavaScript RAT. Other variants include a Visual Basic Script (VBS) based worm titled vw0rm (Vengeance Worm).
You can use `malnetlib` to list and extract .NET resources from a `vw0rm` dropper.
```python
>>> from malnetlib.models import DotNetPE
>>> pe = DotNetPE("30d64daeb3e69ea6dde202a9d519f6ee17614af6e505dd2e5788017c3be4abd8")
>>> resources = pe.get_resources()
>>> resources
[<Resource Windows_Task_Manager.Resources.resources 0x0>, <Resource Windows_Task_Manager.proccesing.resources 0x4806>]
>>> resources[0].save("/tmp/output.bin")
```
```vbs
>>> resources[0].read()
b'[...]On error resume next\r\n\r\nj = array("WScript.Shell","Scripting.FileSystemObject","Shell.Application","Microsoft.XMLHTTP")
\r\ng = array("HKCU","HKLM","HKCU\\vw0rm","\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\","HKLM\\SOFTWARE\\Classes\\","REG_SZ","\\defaulticon\\")\r\ny=
array("winmgmts:","win32_logicaldisk","Win32_OperatingSystem","winmgmts:\\\\localhost\\root\\securitycenter","AntiVirusProduct")\r\n\r\nfunction go(m)\r\n
```
Raw data
{
"_id": null,
"home_page": "https://github.com/xanhacks/malnetlib",
"name": "malnetlib",
"maintainer": "",
"docs_url": null,
"requires_python": "",
"maintainer_email": "",
"keywords": "dotnet,parser",
"author": "xanhacks",
"author_email": "",
"download_url": "https://files.pythonhosted.org/packages/fd/e3/7a7fd1665e2e6ab05875563acd01bb74f33229b6608a14cae1dab0fb68eb/malnetlib-1.0.8.tar.gz",
"platform": null,
"description": "# MalNetLib\n\nMalNetLib is a Python library for parsing PE files made with .NET (based on [dnlib](https://github.com/0xd4d/dnlib)).\n\n## Installation\n\nInstall the library (available on [pypi.org](https://pypi.org/project/malnetlib/)):\n\n```bash\n$ python3 -m pip install malnetlib\n```\n\nCompile `dnlib.dll` (required for the project) :\n\n```bash\n# Debian\n$ sudo apt install -y dotnet-sdk-6.0\n# Arch\n$ sudo pacman -S dotnet-sdk-6.0\n\n$ git clone --depth=1 https://github.com/0xd4d/dnlib\n$ cd dnlib\n$ dotnet build\n$ cd ..\n$ cp ./dnlib/Examples/bin/Debug/net6.0/dnlib.dll .\n$ rm -rf dnlib\n```\n\n## Examples\n\n### NjRAT\n\n> [NjRAT](https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat) is a remote access trojan (RAT).\n\nYou can use `malnetlib` to extract the configuration of NjRAT which is stored inside .NET class attributes. Here is an example with the a sample of [NjRAT](https://tria.ge/230101-1z3k8sfh8v) and the script [njrat_extractor.py](https://github.com/xanhacks/malnetlib/blob/main/examples/njrat_extractor.py) :\n\n```python\npe = DotNetPE(args.sample)\nok_class = pe.get_object(\"OK\")\nnjrat_conf = {\n\t\"host\": ok_class.get_attribute(\"HH\").get_value(),\n\t\"port\": ok_class.get_attribute(\"P\").get_value(),\n\t\"install_directory\": \"%\" + ok_class.get_attribute(\"DR\").get_value() + \"%\",\n\t\"install_name\": ok_class.get_attribute(\"EXE\").get_value(),\n\t\"startup\": ok_class.get_attribute(\"sf\").get_value(),\n\t\"campain_id\": b64decode(ok_class.get_attribute(\"VN\").get_value()).decode(\"UTF-8\"),\n\t\"version\": ok_class.get_attribute(\"VR\").get_value(),\n\t\"network_separator\": ok_class.get_attribute(\"Y\").get_value(),\n\t\"mutex\": ok_class.get_attribute(\"RG\").get_value()\n}\nprint(dumps(njrat_conf))\n```\n\n```json\n{\n \"host\": \"2.tcp.eu.ngrok.io\",\n \"port\": \"10008\",\n \"install_directory\": \"%TEMP%\",\n \"install_name\": \"server.exe\",\n \"startup\": \"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\n \"campain_id\": \"HacKed\",\n \"version\": \"im523\",\n \"network_separator\": \"|'|'|\",\n \"mutex\": \"25ffb1a66b4748fe7537df7005cc8e55\"\n}\n```\n\n### vw0rm\n\n> [VJW0rm](https://malpedia.caad.fkie.fraunhofer.de/details/win.vjw0rm) (aka Vengeance Justice Worm) is a publicly available, modular JavaScript RAT. Other variants include a Visual Basic Script (VBS) based worm titled vw0rm (Vengeance Worm).\n\nYou can use `malnetlib` to list and extract .NET resources from a `vw0rm` dropper.\n\n```python\n>>> from malnetlib.models import DotNetPE\n>>> pe = DotNetPE(\"30d64daeb3e69ea6dde202a9d519f6ee17614af6e505dd2e5788017c3be4abd8\")\n>>> resources = pe.get_resources()\n>>> resources\n[<Resource Windows_Task_Manager.Resources.resources 0x0>, <Resource Windows_Task_Manager.proccesing.resources 0x4806>]\n>>> resources[0].save(\"/tmp/output.bin\")\n```\n\n```vbs\n>>> resources[0].read()\nb'[...]On error resume next\\r\\n\\r\\nj = array(\"WScript.Shell\",\"Scripting.FileSystemObject\",\"Shell.Application\",\"Microsoft.XMLHTTP\")\n\\r\\ng = array(\"HKCU\",\"HKLM\",\"HKCU\\\\vw0rm\",\"\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\"HKLM\\\\SOFTWARE\\\\Classes\\\\\",\"REG_SZ\",\"\\\\defaulticon\\\\\")\\r\\ny=\narray(\"winmgmts:\",\"win32_logicaldisk\",\"Win32_OperatingSystem\",\"winmgmts:\\\\\\\\localhost\\\\root\\\\securitycenter\",\"AntiVirusProduct\")\\r\\n\\r\\nfunction go(m)\\r\\n\n```\n\n",
"bugtrack_url": null,
"license": "",
"summary": "MalNetLib is a Python library for parsing PE files made with .NET",
"version": "1.0.8",
"split_keywords": [
"dotnet",
"parser"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "fde37a7fd1665e2e6ab05875563acd01bb74f33229b6608a14cae1dab0fb68eb",
"md5": "f82307c023db3c9b51cb6e9e645b2e3d",
"sha256": "08bab34bbe98d71d25b133429904d0f0721c9f29aba9e2a65943071974cb892d"
},
"downloads": -1,
"filename": "malnetlib-1.0.8.tar.gz",
"has_sig": false,
"md5_digest": "f82307c023db3c9b51cb6e9e645b2e3d",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 4627,
"upload_time": "2023-01-26T16:42:00",
"upload_time_iso_8601": "2023-01-26T16:42:00.896413Z",
"url": "https://files.pythonhosted.org/packages/fd/e3/7a7fd1665e2e6ab05875563acd01bb74f33229b6608a14cae1dab0fb68eb/malnetlib-1.0.8.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-01-26 16:42:00",
"github": true,
"gitlab": false,
"bitbucket": false,
"github_user": "xanhacks",
"github_project": "malnetlib",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"requirements": [],
"lcname": "malnetlib"
}
JSON
