Can .Net Core 3 self-contained single executable be decompiled?

£可爱£侵袭症+ 提交于 2020-05-31 07:42:40

问题


I tried using Dotpeek and ILSpy.Net to decompile (my own code), they failed.

Do I need special obfuscation on distributed binaries of .Net Core 3 self-contained single executable ?

<Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <OutputType>Exe</OutputType>
    <TargetFramework>netcoreapp3.0</TargetFramework>
    <PublishTrimmed>true</PublishTrimmed>
    <PublishReadyToRun>true</PublishReadyToRun>
    <PublishSingleFile>true</PublishSingleFile>
    <RuntimeIdentifier>win-x64</RuntimeIdentifier>
  </PropertyGroup>
</Project>

回答1:


The single-file exe is really an unmanaged wrapper and ILSpy doesn't support decompiling this. But when you run the exe, it unwraps its contents to a temp folder. So you can find the managed dll there and decompile it using ILSpy.

To find the temp folder, you can use any tool that shows locations of assemblies loaded by a process. SysInternals Process Monitor (procmon) is a good one.

You can setup procmon to filter by your exe name, and when you launch your exe, procmon should show some events for assemblies being loaded from a temp folder:

You can browse to that folder and find your managed dll there. And you can decompile using ILSpy from that location.

I wrote a blog entry: https://eersonmez.blogspot.com/2020/02/ilspy-decompiling-net-core-self.html




回答2:


I wanted to add on @Eren Ersönmez's answer, that while ILSpy DotPeek don't support this at the time, since the self-contained single file is just a wrapper that contains all your DLLs and gets extracted on runtime, simply knowing where it is extracted to can save you using ProcMon or ProExp or windbg.

If you use windows you can go to c:\Users\{Local Username}\AppData\local\temp\.net\{Name of executable} which should lead to somewhere similar to c:\Users\alenros\AppData\Local\Temp.net\MyTestApplication

Launch your exe, and a folder with the same name will be created in that location. The folder will contain randomly named folders. open the latest one and there you will find all your extracted DLLs, which can then be decompiled.

Update: One of the announcements made regarding .Net 5 states that the way single-file executables will be made would change, so this method will not work for them.



来源:https://stackoverflow.com/questions/60026667/can-net-core-3-self-contained-single-executable-be-decompiled

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!