Revrider
06-15-2009, 07:47 AM
Can anyone recommend a tool that will reconstruct a valid EXE/DLL from a memory dump that I can then use with normal ILDASM kind of tools to disassemble?
I'm sort of after a tool that can scan an arbitrary file and attempt to find dotnet executable stuff/sections and piece together and fixup what it can.
I can see the "BSJB" magic number and also the "_CorExeMain\0mscoree.dll\0" sequence which is often at the end of the .text segment. I can even see what looks like a valid (but empty .reloc) section immediately after the end of (my guess at) the .text section.
There will also be a .rsrc section in there somewhere but I've never needed to reveng it from a dump manually before, is there a MS specification on it ? Any magic numbers to look for ?
I also see "beefcace" magic number a lot prefixing chunks of (small, ~80 bytes) stuff (dotnet XML like strings).
Thanks
I'm sort of after a tool that can scan an arbitrary file and attempt to find dotnet executable stuff/sections and piece together and fixup what it can.
I can see the "BSJB" magic number and also the "_CorExeMain\0mscoree.dll\0" sequence which is often at the end of the .text segment. I can even see what looks like a valid (but empty .reloc) section immediately after the end of (my guess at) the .text section.
There will also be a .rsrc section in there somewhere but I've never needed to reveng it from a dump manually before, is there a MS specification on it ? Any magic numbers to look for ?
I also see "beefcace" magic number a lot prefixing chunks of (small, ~80 bytes) stuff (dotnet XML like strings).
Thanks