Get-PDInvokeImports: perform automatic detection of P/Invoke, Dynamic P/Invoke and D/Invoke
Get-PDInvokeImports
Get-PDInvokeImports is a tool (PowerShell module) which is able to perform automatic detection of P/Invoke, Dynamic P/Invoke, and D/Invoke usage in assembly. Showing all locations from where they are referenced and Exports all to DnSpy_Bookmarks.xml
This PS module could be useful and helpful during reversing .NET assemblies for fast revealing calls to unmanaged API functions used in assembly. Sometimes malware assemblies are full of junk code where the main functionality is implemented by direct WIN API or NTAPI calls.
Get-PDInvokeImports enables you to get a fast overview of what P/Invoke, Dynamic P/Invoke, and D/Invoke are used in assembly – It will show you what functions are used + MDTokens, where are declared, and all locations where are used from code.
It enables to export of all locations where are detected P/Invoke, Dynamic P/Invoke, and D/Invoke referenced from code to DnSpy Bookmarks.xml
Example: Imagine 1MB assembly full of junk code + CF obfuscation where main functionality is reached via unmanaged WinAPI\NTAPI calls.
This PS module is written in PowerShell and is fully compatible with Windows PowerShell (.NET Framework) and PowerShell Core (based on .NET, .NET Core). It uses dnlib to parse assembly and .NET reflection to load dnlib. Dnlib is available for .NET framework and .NET standard – simply means that one can use this PS module depending on dnlib on Windows and also Linux OS.
What is P/Invoke, Dynamic P/Invoke, and D/Invoke?
Well very briefly said these are possible implementations of how one can call unmanaged code from managed (simplified – can be used to call directly WinAPI/NTAPI from .NET)
Some of them are easier to implement, and some of them are better at avoiding AV detection and hooking.
More information:
P/Invoke – [PInvoke]
D/Invoke – [DInvoke]
Dynamic P/Invoke – [Dynamic PInvoke]
