securisec securisec -3 years ago 136
Python Question

Is there a way to check if an exe is dot NET with python pefile?

I am trying to write a simple python script; preferably with pefile that can tell me if an exe or dll file is compiled .NET. I know that I can look for the string 'BSJB' to see if the program was written in .NET, but I am trying to do this in a more pythonic manner than using grep and strings. Running pefile.PE('my.exe').dump_info() gives me some great info, but not enough to pinpoint if it is infact dot Net or what version of dot Net.

Thanks!

Answer Source

You can identify a .NET assembly by checking if IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR is filled in (that is, its VirtualAddress and Size are not zero). The name of that entry is confusing, but it is the one used for .NET metadata; see Names of PE directories.

If you need the required framework version for the assembly, then you'll have to parse the metadata structure yourself, pefile doesn't seem to support that. If you can do that, then according to http://www.ntcore.com/files/dotnetformat.htm you'll find fields there called MajorRuntimeVersion and MinorRuntimeVersion, although I'm not sure how those should be interpreted.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download