A lightweight Python script for quick static triage of .NET (managed) executables and DLLs.
This tool is meant for fast “what is this binary doing?” recon by extracting:
#US(User Strings) → string literals embedded in code (URLs, SQL queries, file paths, command templates, etc.)#Strings(Metadata Identifiers) → type/method/namespace names (helps map program structure)- Manifest Resources (best-effort) → embedded resources when present (configs, blobs, etc.)
This works on .NET assemblies only. It will not extract meaningful results from native (C/C++/Go/Rust) executables.
- Extract User Strings with token offsets (e.g.
0x70000224) - Extract Metadata strings with offsets (e.g.
0x000003E5) - Optional regex filtering for fast hunting (passwords, connection strings, URLs, etc.)
- Minimal dependencies and easy to run in a venv
- Designed to work with dnfile 0.17.x (tested)
- Python 3.9+
dnfile
Recommended (virtual environment):
python3 -m venv .venv
source .venv/bin/activate
pip install --upgrade pip
pip install -r requirements.txtUsage
Extract everything (default):
python3 dotnet_triage.py target.exe
Filter output with a regex:
python3 dotnet_triage.py target.exe "http|wsdl|tempuri|password|user|sql"
Only extract user strings (#US):
python3 dotnet_triage.py target.exe --us
Only extract metadata identifiers (#Strings):
python3 dotnet_triage.py target.exe --md
Only enumerate resources:
python3 dotnet_triage.py target.exe --res
Limit output volume:
python3 dotnet_triage.py target.exe --max 50
Raise the minimum string length:
python3 dotnet_triage.py target.exe --minlen 6Example output:
=== #US (User Strings) ===
[US] 0x70000224: Server=localhost;Database=SecurityLogs;User Id=sqlsvc;Password=...
=== #Strings (Metadata Identifiers) ===
[MD] 0x000000F0: IMonitoringService
[MD] 0x000003D5: StartMonitoring
[MD] 0x000007AD: KillProcessNotes / Tips How to tell if a binary is .NET On Linux: file target.exe
Look for hints like: “.Net assembly” “Mono/.NET”
Credits Built using dnfile dnfile==0.17.0