0

I have a binary file, with serialized .NET object (stream) in it. I need to compile it back to a .NET Assembly (Maybe using CodeDomProvider Class or anything else).

Any pointer will be highly appreciated.

Thanks in Advance.

Dev.K.
  • 2,428
  • 5
  • 35
  • 49
  • 3
    deserialize object thats it – Pranay Rana Jun 08 '18 at 11:38
  • 1
    The binary format produced is specific to the .NET Framework and it cannot be easily used from other systems or platforms. – Pranay Rana Jun 08 '18 at 11:43
  • 1
    need more help let me know – Pranay Rana Jun 08 '18 at 11:48
  • 2
    First of all, even if you were able to make something or find something that reads the file and constructs .NET types to match, it wouldn't be the original .NET types or anything similar to those. The file simply doesn't contain the code necessary, it only contains the data. This sounds like an X/Y problem, why don't you tell us the underlying problem for which your question seems like a good solution, perhaps we can help you with that instead? – Lasse V. Karlsen Jun 08 '18 at 11:52
  • Thanks all! I'm not a C# programmer at all. I need to do this as a tiny part of a big project and I choose to do with C#. I'm trying to do this, so that I can pass this assembly to decompiler and get class structure. Any code example would be really helpful. – Dev.K. Jun 08 '18 at 12:06
  • A serialized object contains the data and information about the type, but not the code for a class, so you can not compile it into an assembly. You can however deserialize it with the BinaryFormatter class. – Ferdinand Swaters Jun 08 '18 at 12:21

2 Answers2

2

There is no guarantee that it is possible to deserialize a BinaryFormatter serialized object (BinaryFormatter is the .NET-included binary serializer... and it is considered to be quite "evil") to the source code that generated it. Simple example:

[Serializable]
public class MyClass
{
    public DateTime Foo { get; private set; }

    public MyClass()
    {
        Foo = DateTime.Now;
    }
}

There is no way in C# to write a MyClass object with a specific Foo value unless you are using reflection. You can't write:

var bar = new MyClass { Foo = new DateTime(2018, 1, 1 }

because there is no setter for Foo.

Specific cases (where there a no private fields and if there are setters they are all setters that only set the value of the backing field without doing extra elaboration) can be converted to C# assignments.

What it is possible to do (but in general it is a bad idea with BinaryFormatter, because it doesn't handle very well changes to the underlying types) is include the binary file as an embedded resource (see this) and then read the file:

var assembly = Assembly.GetExecutingAssembly();
var resourceName = "ConsoleApp2.Folder1.File1.bin";

MyClass mc;

using (Stream stream = assembly.GetManifestResourceStream(resourceName))
{
    var bf = new BinaryFormatter();
    mc = (MyClass)bf.Deserialize(stream);
}

Note that this is a very very bad idea, because if anything changes in the underlying types (even some private fields), everything will break badly.

xanatos
  • 109,618
  • 12
  • 197
  • 280
  • Thanks!I have some idea now. Now lets get straight to the point. In this code https://github.com/Cn33liz/MacroMeter/blob/master/MacroMeter.vba the variable serialized_obj holding a serialized stream. Is there any way I can figure out the logic embedded inside it ? – Dev.K. Jun 08 '18 at 13:00
  • @Dev.K. 1. It seems to be something quite "illegal", 2. The first lines of the linked page described perfectly what is *CSharp Meterpreter Stager*, so you can google directly its source code. 3. Even decoding the data you showed won't give you anything.It does a `Assembly.Load(byte[])` with a binary payload of a `byte[]` that you would then have to save and decompile. – xanatos Jun 08 '18 at 13:53
0

I've done it using a tool called ClrGuard. https://github.com/endgameinc/ClrGuard. It will capture the .NET assembly as it tries to execute and dump it in disk. Then we can load with ilspy or any other .NET de-compiler.

ClrGuard will hook into all .NET processes on the system. From there, it performs an in-line hook of the native LoadImage() function. This is what Assembly.Load() calls under the CLR hood.

Reference : https://www.endgame.com/blog/technical-blog/hunting-memory-net-attacks

Dev.K.
  • 2,428
  • 5
  • 35
  • 49