27 Şubat 2020 Perşembe

ILSpy - Decompiling .Net Core self-contained single file exe

Using ILSpy, if you try to decompile a .net core single-file self-contained exe, you will get an error like:

PE file does not contain any managed metadata.




Googling the issue, I found that this is because the single-file exe is an unmanaged wrapper.  ILSpy (as of version 6.0.0) does not support decompiling this.

But I found a way...

I opened the exe using windbg:
- Launch windbg.
- Select File > Open executable...
- Select the exe.

It will launch the exe and attach itself as a debugger.  You should be able to see the assemblies being loaded.  Initially, windbg will break immediately. Use the 'g' command so that it will continue execution of the program. It should continue and load more assemblies.

Here comes the interesting part...











































The .net core assembly that I'm trying to decompile is 'ConsoleApp11.dll' and it looks like it's being loaded from a temp folder.  Apparently, the wrapper exe unwraps its contents to a temp folder and executes the .net core dll from that location.  So, can I go to that temp folder and decompile the unwrapped dlls?  Looks like, Yes!

When I take a look at that location, I see my dll:




And now, I can use ILSpy to decompile that dll:



I was initially using windbg here, because I needed more details when trying to understand what the exe was doing. Now that I know how the single-file exe works, I don't need to use windbg in the future if I just need to know the location of the temp folder.  I could use any other app that shows the assemblies loaded by an exe, like SysInternals Process Explorer (procexp) or Process Monitor (procmon).

Hiç yorum yok:

Yorum Gönder