Is there a way to check if an exe is dot NET with python pefile?
Question:
I am trying to write a simple python script; preferably with pefile that can tell me if an exe or dll file is compiled .NET. I know that I can look for the string ‘BSJB’ to see if the program was written in .NET, but I am trying to do this in a more pythonic manner than using grep and strings. Running pefile.PE(‘my.exe’).dump_info() gives me some great info, but not enough to pinpoint if it is infact dot Net or what version of dot Net.
Thanks!
Answers:
You can identify a .NET assembly by checking if IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR is filled in (that is, its VirtualAddress and Size are not zero). The name of that entry is confusing, but it is the one used for .NET metadata; see Names of PE directories.
If you need the required framework version for the assembly, then you’ll have to parse the metadata structure yourself, pefile doesn’t seem to support that. If you can do that, then according to http://www.ntcore.com/files/dotnetformat.htm you’ll find fields there called MajorRuntimeVersion and MinorRuntimeVersion, although I’m not sure how those should be interpreted.
Final code ended up being:
isDotNet = pe.OPTIONAL_HEADER.DATA_DIRECTORY[14]
if isDotNet.VirtualAddress == 0 and isDotNet.Size == 0:
print colors.RED + 'Not a .NET executable'
else:
print colors.BLUE + 'Is a .NET executable'
I don’t think that checking for the .NET Size is a good one, for example, Mono doesn’t care about .NET Size – it can be zero. 🙂
I think checking for the virtual address is enough.
I am trying to write a simple python script; preferably with pefile that can tell me if an exe or dll file is compiled .NET. I know that I can look for the string ‘BSJB’ to see if the program was written in .NET, but I am trying to do this in a more pythonic manner than using grep and strings. Running pefile.PE(‘my.exe’).dump_info() gives me some great info, but not enough to pinpoint if it is infact dot Net or what version of dot Net.
Thanks!
You can identify a .NET assembly by checking if IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR is filled in (that is, its VirtualAddress and Size are not zero). The name of that entry is confusing, but it is the one used for .NET metadata; see Names of PE directories.
If you need the required framework version for the assembly, then you’ll have to parse the metadata structure yourself, pefile doesn’t seem to support that. If you can do that, then according to http://www.ntcore.com/files/dotnetformat.htm you’ll find fields there called MajorRuntimeVersion and MinorRuntimeVersion, although I’m not sure how those should be interpreted.
Final code ended up being:
isDotNet = pe.OPTIONAL_HEADER.DATA_DIRECTORY[14]
if isDotNet.VirtualAddress == 0 and isDotNet.Size == 0:
print colors.RED + 'Not a .NET executable'
else:
print colors.BLUE + 'Is a .NET executable'
I don’t think that checking for the .NET Size is a good one, for example, Mono doesn’t care about .NET Size – it can be zero. 🙂
I think checking for the virtual address is enough.