{"id":18842650,"url":"https://github.com/k2/reloc","last_synced_at":"2026-01-30T22:30:15.148Z","repository":{"id":140561611,"uuid":"46999815","full_name":"K2/Reloc","owner":"K2","description":"Transform dumped executable memory back into an identical match from disk.  Use network or local database to de-locate relocated binaries and ensure a cryptographically secure hash match for code running on your legacy systems.  A client tool that downloads relocation data for various PE files.  This ensures when extracting data from memory dumps that you can match memory to disk files precisely. ","archived":false,"fork":false,"pushed_at":"2016-01-10T06:32:29.000Z","size":274,"stargazers_count":11,"open_issues_count":0,"forks_count":2,"subscribers_count":5,"default_branch":"master","last_synced_at":"2024-12-30T12:12:55.461Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/K2.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-11-27T21:23:48.000Z","updated_at":"2020-10-11T03:45:03.000Z","dependencies_parsed_at":"2023-03-17T12:55:44.579Z","dependency_job_id":null,"html_url":"https://github.com/K2/Reloc","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/K2%2FReloc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/K2%2FReloc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/K2%2FReloc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/K2%2FReloc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/K2","download_url":"https://codeload.github.com/K2/Reloc/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":239780117,"owners_count":19695734,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-08T02:55:22.879Z","updated_at":"2026-01-30T22:30:15.103Z","avatar_url":"https://github.com/K2.png","language":"HTML","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Reloc\nA client tool that interfaces with a server we host (Thanks @IOActive) with over 200000 fragments of relocation data\nthat is compiled from various PE files.  This ensures when extracting data from memory dumps that you can match memory to \ndisk files precisely. I've targeted [@dotnet/coreclr](https://github.com/dotnet/coreclr) and [@dotnet/wcf](https://github.com/dotnet/wcf) under the hood.\n\n## CORECLR\nThis code target's coreclr to maximize portability.  Most development has \ntaken place on Windows so there is a little bit of test that needs to be\ndone for Linux, OSX, FreeBSD, etc...  I'll likely be implementing some\nworkarounds for the WCF SOAP API calls to ensure an alternative mechanism\nis in place to contact the server.\n\n## TODO\nI'm done with this code for a while. I attached an example report from \nWinMerge from a binary dumped with Volatility then block hashed to 512 bytes\nsizes with Tiger 192 (the same as BlockWatch currently uses :).\n\n### Extract relocations from .pdb's as an alternative for MS files.\n\nAs you can see Reloc enabled the dumped binary to match almost exactly.\n\nCompare the difference [without using Reloc](without-Reloc.htm) and [using Reloc](with-Reloc.htm).\n\n### Quick note to dumper writers\nIf your using Reloc make sure you validate precisely the sections so your not accidentally\nmissing code due to alignment/code caves.\n\n\n~~Next will be a command for delocating a dumped binary.  That is, an image\nextracted from memory to disk (one-to-one) delocation so that any position\ndependent instructions/references are fixed (delocated) to their original\nvalues.  Null pages are accounted for since we can not depend on a runtime\npage fault to cause all of a given binary to load.  This does add a bit of \ncomplexity to the DeLocate routine.  It's currently implemented unsafe since\nported from C, will be moving to safe soon.~~\n\nDelocation code is in place however is only exposed to API callers not CLI.\n\nProgram.cs has a set of upcoming features, feel free to contact or use \ngithub to give us some requests.  If nobody else does it I'll try to figure\nout some python to integrate into @volatility.\n\n## Examples\n.NET coreclr restore/run like so;\n```\ndnu restore\ndnx [command] [args]\ndnx commands\nError: Unable to load application or execute command 'commands'. Available commands: Reloc, Extract.\n```\nNot all of our routines are optimized yet, it seems like the async IO in coreclr\nis doing really well, as you can see below, pretty\nrespectable performance for non-native code _nearly 3500 read/writes in less\nthan 13 seconds_. \n\n### Example: **dnx run Extract c:\\windows\\system32 d:\\temp\\test**\n```\nX:\\Reloc\\src\\Reloc\u003ednu restore\nMicrosoft .NET Development Utility CoreClr-x64-1.0.0-rc2-16249\n...\nWriting lock file X:\\Reloc\\src\\Reloc\\project.lock.json\nRestore complete, 2714ms elapsed\n\nX:\\Reloc\\src\\Reloc\u003ednx run Extract c:\\windows\\system32 d:\\temp\\test\nScanning folder c:\\windows\\system32 and saving relocs into d:\\temp\\test.\n...\nextracted relocs into d:\\temp\\test\\ztrace_maps.dll-180000000-564D22CC.reloc size 512\nprocessing time: 00:00:12.9261101\nCompiled 3493 new .reloc data fragments\n```\n\n### Example: DeLocate\nThis command string is a little out of control.  I'll add some switches to make it a bit\neasier or something ;).   Specifying \"dnvm exec default dnx \" is an alternative way to get\nthe runtime version your looking for.\n\nDelocate will attempt to automatically rebuild the complete executable on disk from memory.  The only differences\nshould be;\n   1) Data section, if anybody has idea how to reverse the data, that will be interesting.\n   2) .reloc missing, it dosent really matter since you download or captured .reloc locally in the first place, you can \n      cat \u003e\u003e the reloc to the end of your new binary if you would like.\n   3) There may be some artifacts regarding the resources depending on the application specifics. I havent looked at resource handling in a minute.\n\n```\ndnvm exec default dnx DeLocate d:dumped.msctf.dll d:msctf.dll-10000000-564D1E7B.reloc 77740000 d:delocated.msctf.dll False\n```\n\n### Example: **dnx Reloc True ntdll 51DA4B7D**\nAfter you clone into a directory\n\n```\nc:\\git\u003egit clone https://github.com/ShaneK2/Reloc.git\nCloning into 'Reloc'...\nremote: Counting objects: 18, done.\nremote: Compressing objects: 100% (16/16), done.\nremote: Total 18 (delta 2), reused 13 (delta 1), pack-reused 0\nUnpacking objects: 100% (18/18), done.\nChecking connectivity... done.\n\nc:\\git\u003ecd Reloc\\src\\Reloc\n\nc:\\git\\Reloc\\src\\Reloc\u003ednu restore\n\nMicrosoft .NET Development Utility CoreClr-x64-1.0.0-rc2-16237\n\n  CACHE https://www.nuget.org/api/v2/\n  CACHE https://ci.appveyor.com/nuget/gemini-g84phgw340sm/\n  CACHE https://www.myget.org/F/aspnetvnext/api/v2/\n  CACHE https://www.myget.org/F/dotnet-core/api/v3/index.json\nRestoring packages for C:\\Temp\\testing\\Reloc\\src\\Reloc\\project.json\n  CACHE https://www.nuget.org/api/v2/FindPackagesById()?id='System.Reflection.TypeExtensions'\n  CACHE https://ci.appveyor.com/nuget/gemini-g84phgw340sm/FindPackagesById()?id='System.Reflection.TypeExtensions'\n  CACHE https://www.myget.org/F/aspnetvnext/api/v2/FindPackagesById()?id='System.Reflection.TypeExtensions'\n  CACHE https://www.myget.org/F/dotnet-core/api/v3/flatcontainer/system.reflection.typeextensions/index.json\nWriting lock file C:\\Temp\\testing\\Reloc\\src\\Reloc\\project.lock.json\nRestore complete, 973ms elapsed\n\nc:\\git\\Reloc\\src\\Reloc\u003ednx Reloc True ntdll 51DA4B7D\nContacting, dest file [ntdll-?####?-51DA4B7D.reloc.7z]: 64bit:True, Region(dll):ntdll, TimeDateStamp:51DA4B7D.\nDownloaded to NTDLL.DLL-78E50000-51DA4B7D.reloc.7z, size 905.\n\nc:\\git\\Reloc\\src\\Reloc\u003edir NTDLL.DLL-78E50000-51DA4B7D.reloc.7z\n \n Directory of \\git\\Reloc\\src\\Reloc\n\n11/27/2015  02:52 PM               905 NTDLL.DLL-78E50000-51DA4B7D.reloc.7z\n```\n\nSimply extract and use the data to establish high assurances in your forensics\nprocess.\n\n### Bugs\n  * Fixe'dm all ;)  \n  * ~~For some reason when the last word is written out (the buffers are being delocated) they do not appear back on disk. \n    Currently I modify the delocation buffer in-place so in the event your not using disk files and call this method\n\tw/o hitting the disk we don't need to waste too much, it's probably a worthless micro-opt anyhow.~~\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fk2%2Freloc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fk2%2Freloc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fk2%2Freloc/lists"}