Squiblydoo / debloat

A GUI and CLI tool for removing bloat from executables
BSD 3-Clause "New" or "Revised" License
341 stars 28 forks source link

.NET Single File Binaries #21

Open Squiblydoo opened 1 year ago

Squiblydoo commented 1 year ago

Another method of bloat that cannot be solved at this time includes use of the .NET Single File feature. Tony wrote about analyzing such a DuckTail sample here: https://forensicitguy.github.io/analyzing-net-core-single-file-ducktail/

The following samples are being used as a POC for a solution: 7b9779a86781667aef8bfd44225deb0aaa61e0e7dbaa1ec1f3d3e3ec99bf5282 9a55f8490f17e095899df8bd57cbc2e8a451f01573d3763fb87d9186addc7d4e

These samples both have 460 DLL included in the Single File .NET binary. The sample Tony analyzed had 94 PE. In my observation, this number is growing over time with the result of binaries getting larger. The files identified by those hashes are 184 MB.

Squiblydoo commented 6 months ago

I have a temporary work around here: https://github.com/Squiblydoo/DotNetDebloat I can write all the files from a bundle to disk using a .NET EXE that leverages AsmResolver