Extend dotnet module#1670
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). For more information, open the CLA check for this pull request. |
|
|
||
| .. c:type:: minor_runtime_version | ||
|
|
||
| The major version contained in the CLI header |
wxsBSD
left a comment
wxsBSD
left a comment
There was a problem hiding this comment.
Mostly just minor nits with this, but I very much like this PR!
|
|
||
| If CORHEADER_NATIVE_ENTRYPOINT is set, entry_point represents an RVA | ||
| to a native entrypoint. If CORHEADER_NATIVE_ENTRYPOINT is not set, | ||
| entry_point represents a managed entrypoint. |
There was a problem hiding this comment.
represents an RVA to a managed entrypoint.
This way it is clear that in both cases it is an RVA.
| .. c:member:: name | ||
|
|
||
| Stream name. | ||
There was a problem hiding this comment.
Nit: whitespace added here.
|
|
||
|
|
| // ECMA-335 Section II.23.1.10 | ||
| // | ||
| // These three bits contain one of the following values | ||
| #define METHOD_FLAGS_MEMBER_ACCESS_MASK 0x0007 |
There was a problem hiding this comment.
I noticed you're adding this _MASK definition but I'm not sure how useful it will be, as you're really just exposing it as a constant in the module without actually using it anywhere. Can we simplify a bit by removing this construct in the few places you're using it?
| // | ||
| // Manifest Resource Table | ||
| // ECMA-335 Section II.22.22 | ||
| // |
There was a problem hiding this comment.
This seems to be a copy/paste mistake. :)
When CORHEADER_NATIVE_ENTRYPOINT is not set it doesn't point to an RVA. I specified this better by stating `entry_point represents a metadata token`. Finding the RVA requires parsing the metadata tables for the specified token
Co-authored-by: Wesley Shields <wxs@atarininja.org>
I had the same thoughts when adding them, I was mocking up ECMA as is, but I agree that if it isn't being used, doesn't need to be present.
Co-authored-by: Wesley Shields <wxs@atarininja.org>
Co-authored-by: Wesley Shields <wxs@atarininja.org>
… into extend_dotnet_module
wxsBSD
left a comment
wxsBSD
left a comment
There was a problem hiding this comment.
Apologies for the delay, this completely slipped off my radar. I just took a quick look through this and it looks good to me!
|
Looks good to me. The only thing I miss is adding |
3 participants
Overview
This large PR is to extend the dotnet parsing capabilities to look into the .NET directory and MetaData tables further. Not all MetaData tables are being handled, just a few that have been found useful. Further table parsing could be added in the future. This will greatly extend yara capabilities combatting .NET malware that has been previously not available or requiring very complex yara rules.
Examples
Two examples are provided below, there are more in the tests and documentation. These examples take advantage of the new feature
is_dotnet.Mixed Mode
MemberRefs with order preference (if only malware was always this easy)