Created
April 12, 2019 20:21
-
-
Save olliencc/ec591a45d39b88a4dcb1489405809ebb to your computer and use it in GitHub Desktop.
How to scan for Windows binaries with the MINIDUMP_AUXILIARY_PROVIDER resource section
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # Ollie Whitehouse | |
| # ollie.whitehouse [@] nccgroup.com | |
| # | |
| import os | |
| import pefile | |
| rootdirs = [ | |
| #"C:/Data/NCC/!Research/DUMPHELPER/test/t/" | |
| "C:/Windows/", | |
| "C:/Program Files/", | |
| "C:/Program Files (X86)/" | |
| ] | |
| for dir in rootdirs: | |
| for subdir, dirs, files in os.walk(dir): | |
| for file in files: | |
| try: | |
| myPE = pefile.PE(os.path.join(subdir, file)) | |
| # in part based on https://github.com/matonis/ripPE/blob/master/ripPE.py | |
| # but some fixes to get the names of the entries in the directories | |
| if hasattr(myPE, 'DIRECTORY_ENTRY_RESOURCE'): | |
| for resource_type in myPE.DIRECTORY_ENTRY_RESOURCE.entries: | |
| name = "" | |
| if resource_type.name is not None: | |
| name = resource_type.name | |
| # NOTE: the actual name is called 'MINIDUMP_AUXILIARY_PROVIDER' | |
| # https://github.com/dotnet/coreclr/tree/master/src/dlls/mscoree/coreclr | |
| # https://github.com/dotnet/coreclr/issues/10334 | |
| # https://github.com/dotnet/coreclr/blob/master/src/dlls/mscoree/coreclr/CMakeLists.txt | |
| # https://github.com/dotnet/coreclr/pull/10336 | |
| else: | |
| name = "1 - %s" % pefile.RESOURCE_TYPE.get(resource_type.struct.Id) | |
| if name == None: | |
| name = "2 - %d" % resource_type.struct.Id | |
| # print (os.path.join(subdir, file) + " " + name) | |
| if hasattr(resource_type, 'directory'): | |
| for resource_id in resource_type.directory.entries: | |
| name2 = "" | |
| if resource_id.name is not None: | |
| name2 = resource_id.name | |
| else: | |
| name2 = "%s" % pefile.RESOURCE_TYPE.get(resource_id.struct.Id) | |
| # print (os.path.join(subdir, file) + " 3 - " + str(name2)) | |
| if(str(name2) == "MINIDUMP_AUXILIARY_PROVIDER"): | |
| print (os.path.join(subdir, file) + " - " + str(name2)) | |
| #if hasattr(resource_id, 'directory'): | |
| # for resource_id2 in resource_type.directory.entries: | |
| # name3 = "" | |
| # | |
| # if resource_id2.name is not None: | |
| # name3 = resource_id2.name | |
| # else: | |
| # name3 = "%s" % pefile.RESOURCE_TYPE.get(resource_id2.struct.Id) | |
| # print (os.path.join(subdir, file) + " 4 - " + str(name3)) | |
| except: | |
| continue |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment