Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/audibleblink/ino

In 'n Out - See what goes in and comes out of PEs
https://github.com/audibleblink/ino

binary-analysis reverse-engineering winapi

Last synced: 3 months ago
JSON representation

In 'n Out - See what goes in and comes out of PEs

Host: GitHub
URL: https://github.com/audibleblink/ino
Owner: audibleblink
Created: 2021-05-20T01:23:08.000Z (over 3 years ago)
Default Branch: main
Last Pushed: 2022-05-12T21:55:12.000Z (over 2 years ago)
Last Synced: 2024-06-20T12:05:24.150Z (8 months ago)
Topics: binary-analysis, reverse-engineering, winapi
Language: Go
Homepage:
Size: 88.9 KB
Stars: 32
Watchers: 3
Forks: 2
Open Issues: 1
Metadata Files:
- Readme: readme.md

Awesome Lists containing this project

README

        # In 'n Out

Parse and return PE information

```json

ino -v comsvcs.dll

{

  "Name": "",

  "Path": "",

  "Type": "",

  "Imphash": "",

  "Imports": [{ 

  	"Host": "", 

	"Functions": ["",]},],

  "Exports": ["",],

  "Forwards": ["",],

  "PDB": "",

  "Sections": [{

  	"Name": "",

	"Perm": "",

	"FileOffset": int,

	"VMA": int, 

	"Size": int,

  }],

}

```

If compiled as a Windows EXE, there will be an additional property:

```json

"DACL": {

      "Owner": "",

      "Group": "",

      "Aces": {

            "Principal": "",

            "Rights": ["", ...]

      }

}

```

```

Usage of ino:

  -def string

        Print a .def file for a mathing dll

        Ex: ino -def dbghelp.dll teams.exe

  -dir string

        Directory to recurse

  -exports

        Print Exports only

  -forwards

        Print Forwards only

  -imphash

        Print ImpHash only

  -imports

        Print Imports only

  -type string

        Use with --dir. Get [exe|dll]

  -v    Print additional fields

```

### Cypher / Neo4j

### Creating the Dataset

```bash

ino -dir /windows/system32 -type dll > sys32.dll.json

ino -dir /windows/system32 -type exe > sys32.exe.json

```

### Importing the Dataset to Neo4j

> the below queries are for an old version of the JSON output. they remain as notes for me to reference

```cypher

CALL apoc.load.json("file:///sys32_dll.json") 

YIELD value AS dllData

MERGE (dll:DLL {name: dllData.Name, complete: false})

SET dll.exports = dllData.Exports

SET dll.path = dllData.Path

SET dll.imphash = dllData.ImpHash

SET dll.complete =  true

WITH dll, dllData UNWIND dllData.Imports AS import

MERGE (dll1:DLL {name: import.Host})

FOREACH (i in CASE WHEN dll1.complete THEN [] ELSE [1] END |

	SET dll1.complete = false)

WITH dll, dll1, import, dllData UNWIND import.Functions as func

MERGE (dll)-[:IMPORTS {fn: func}]->(dll1)

WITH dll, dllData UNWIND dllData.Forwards AS fwd

MERGE (dll3:DLL {name: fwd.Host})

FOREACH (i in CASE WHEN dll3.complete THEN [] ELSE [1] END |

	SET dll3.complete = false)

WITH dll, dll3, fwd UNWIND fwd.Functions as func

MERGE (dll)-[:FORWARDS {fn: func}]->(dll3)

```

```cypher

CALL apoc.load.json("file:///sys32_exe.json")

YIELD value AS exeData

MERGE (exe:EXE {name: exeData.Name, path: exeData.Path, imphash: exeData.ImpHash})

SET exe.exports = exeData.Exports

WITH exe, exeData UNWIND exeData.Imports AS import

MERGE (dll:DLL {name: import.Host})

FOREACH (i in CASE WHEN dll.complete THEN [] ELSE [1] END |

	SET dll.complete = false)

WITH dll, exe, import, exeData UNWIND import.Functions as func

MERGE (exe)-[:IMPORTS {fn: func}]->(dll)

WITH exe, exeData UNWIND exeData.Forwards AS fwd

MERGE (dll2:DLL {name: fwd.Host})

FOREACH (i in CASE WHEN dll2.complete THEN [] ELSE [1] END |

	SET dll2.complete = false)

WITH dll2, exe, fwd UNWIND fwd.Functions as func

MERGE (exe)-[:FORWARDS {fn: func}]->(dll2)

```