VirusTotal · tarterp · Mar 31, 2022 · Mar 31, 2022 · Mar 31, 2022 · Mar 31, 2022
diff --git a/CONTRIBUTORS b/CONTRIBUTORS
@@ -33,6 +33,7 @@ Hilko Bengen <bengen@hilluzination.de>
 Joachim Metz <joachim.metz@gmail.com>
 Karl Hiramoto <karl.hiramoto@virustotal.com>
 Mike Wiacek <mjwiacek@google.com>
+Paul Tarter <paul.tarter@mandiant.com>;<tarterp@gmail.com>
 Shane Huntley <shuntley@google.com>
 Stefan Buehlmann <stefan.buehlmann@joebox.org>
 Victor M. Alvarez <plusvic@gmail.com>;<vmalvarez@virustotal.com>

diff --git a/docs/modules/dotnet.rst b/docs/modules/dotnet.rst
@@ -30,6 +30,31 @@ using attributes and features of the .NET file format. Let's see some examples:
 Reference
 ---------
 
+.. c:type:: major_runtime_version
+
+    The major version contained in the CLI header
+
+.. c:type:: minor_runtime_version
+
+    The major version contained in the CLI header
+
+.. c:type:: flags
+
+    CLI header runtime flags contains the following values
+
+    .. c:type:: COMIMAGE_FLAGS_ILONLY 
+    .. c:type:: COMIMAGE_FLAGS_32BITREQUIRED    
+    .. c:type:: COMIMAGE_FLAGS_IL_LIBRARY       
+    .. c:type:: COMIMAGE_FLAGS_STRONGNAMESIGNED 
+    .. c:type:: COMIMAGE_FLAGS_NATIVE_ENTRYPOINT
+    .. c:type:: COMIMAGE_FLAGS_TRACKDEBUGDATA
+
+.. c:type:: entry_point
+
+    If CORHEADER_NATIVE_ENTRYPOINT is set, entry_point represents an RVA 
+    to a native entrypoint. If CORHEADER_NATIVE_ENTRYPOINT is not set, 
+    entry_point represents a managed entrypoint.
+
 .. c:type:: version
 
     The version string contained in the metadata root.
@@ -53,12 +78,12 @@ Reference
     stream object has the following attributes:
 
     .. c:member:: name
-
-        Stream name.
+    
+        Stream name
 
     .. c:member:: offset
 
-        Stream offset.
+        Stream offset
 
     .. c:member:: size
 
@@ -168,6 +193,153 @@ Reference
         String containing the public key or token which identifies the author of
         this assembly.
 
+.. c:type:: number_of_memberrefs
+
+    the number of memberrefs in the file
+
+.. c:type:: memberrefs
+
+    a zero-based array of memberrefs associating Methods to fields of a class.
+    Individual memberrefs can be access by using the [] operator. Each
+    memberref has the following attributes:
+
+    .. c:member:: name
+
+        memberref name
+
+        *Example: dotnet.memberrefs[18].name == "CompareTo"*
+
+
+
+.. c:type:: number_of_methods
+
+    the number of methods in the file
+
+.. c:type:: methods
+
+    A zero-based array of methods associating operations with a type. Individual
+    methods can be accessed by using the [] operator. Each method has the
+    following attributes:
+
+    .. c:member:: rva
+
+        A relative virtual address of the method
+
+    .. c:member:: impl_flags
+
+        Integer representing method implementation attributes with one of the 
+        following values:
+
+        .. c:type:: METHOD_IMPL_FLAGS_CODE_TYPE_MASK      
+        .. c:type:: METHOD_IMPL_FLAGS_IL            
+        .. c:type:: METHOD_IMPL_FLAGS_IS_NATIVE     
+        .. c:type:: METHOD_IMPL_FLAGS_OPTIL                
+        .. c:type:: METHOD_IMPL_FLAGS_RUNTIME              
+        .. c:type:: METHOD_IMPL_FLAGS_MANAGED_MASK         
+        .. c:type:: METHOD_IMPL_FLAGS_UNMANAGED            
+        .. c:type:: METHOD_IMPL_FLAGS_MANAGED               
+        .. c:type:: METHOD_IMPL_FLAGS_FORWARD_REF          
+        .. c:type:: METHOD_IMPL_FLAGS_PRESERVE_SIG         
+        .. c:type:: METHOD_IMPL_FLAGS_INTERNAL_CALL        
+        .. c:type:: METHOD_IMPL_FLAGS_SYNCHRONIZED         
+        .. c:type:: METHOD_IMPL_FLAGS_NO_INLINING          
+        .. c:type:: METHOD_IMPL_FLAGS_NO_OPTIMIZATION
+
+        *Example: dotnet.methods[0].impl_flags & dotnet.METHOD_IMPL_FLAGS_IS_NATIVE*
+
+    .. c:member:: flags
+
+        .. c:type:: METHOD_FLAGS_MEMBER_ACCESS_MASK
+        .. c:type:: METHOD_FLAGS_COMPILER_CONTROLLED
+        .. c:type:: METHOD_FLAGS_PRIVATE           
+        .. c:type:: METHOD_FLAGS_FAM_AND_ASSEM     
+        .. c:type:: METHOD_FLAGS_ASSEM             
+        .. c:type:: METHOD_FLAGS_FAMILY            
+        .. c:type:: METHOD_FLAGS_FAM_OR_ASSEM      
+        .. c:type:: METHOD_FLAGS_PUBLIC            
+        .. c:type:: METHOD_FLAGS_STATIC            
+        .. c:type:: METHOD_FLAGS_FINAL             
+        .. c:type:: METHOD_FLAGS_VIRTUAL           
+        .. c:type:: METHOD_FLAGS_HIDE_BY_SIG       
+        .. c:type:: METHOD_FLAGS_VTABLE_LAYOUT_MASK
+        .. c:type:: METHOD_FLAGS_REUSE_SLOT        
+        .. c:type:: METHOD_FLAGS_NEW_SLOT          
+        .. c:type:: METHOD_FLAGS_STRICT            
+        .. c:type:: METHOD_FLAGS_ABSTRACT          
+        .. c:type:: METHOD_FLAGS_SPECIAL_NAME      
+        .. c:type:: METHOD_FLAGS_PINVOKE_IMPL      
+        .. c:type:: METHOD_FLAGS_UNMANAGED_EXPORT  
+        .. c:type:: METHOD_FLAGS_RTS_SPECIAL_NAME  
+        .. c:type:: METHOD_FLAGS_HAS_SECURITY      
+        .. c:type:: METHOD_FLAGS_REQUIRE_SEC_OBJECT
+
+        *Example: dotnet.methods[0].Flags & dotnet.METHOD_FLAGS_STATIC*
+
+    .. c:member:: name
+
+        method name
+
+        *Example: dotnet.methods[0].name == "Foo"*
+
+.. c:type:: number_of_typerefs
+
+    the number of type references in the file
+
+.. c:type:: typerefs
+
+    A zero based array of type references, logical descriptions of user-defined 
+    types that are referenced in the current module. Individual typerefs can
+    be access by using the [] operator. Each typeref has the following
+    attributes:
+
+    .. c:member:: name
+
+        typeref name
+
+        *Example: dotnet.typerefs[0].name == "Decoder"*
+
+    .. c:member:: nameSpace
+
+        typeref namespace
+
+        *Example: dotnet.typerefs[0].namespace == "System.Text"*
+
+.. c:type:: number_of_impl_maps
+
+    The number of PInvoke implmaps in the file
+
+.. c:type:: impl_maps
+
+    A zero based array of impl_map table row. Each entry holds information 
+    about unmanaged methods that can be reached from managed code, using PInvoke 
+    dispatch. A row is entered in the impl_map table for each parent method that
+    is defined with a .pinvokeimpl interoperation attribute. Individual 
+    impl_maps can be accessed by using the [] operator.Each impl_map has the 
+    following attributes.
+
+    .. c:member:: import_name
+
+        impl_map import name
+
+    .. c:member:: mapping_flags
+
+        Integer representing flags for the impl_map entry with one of the
+        following values:
+
+        .. c:type:: PINVOKE_FLAGS_NO_MANGLE
+        .. c:type:: PINVOKE_FLAGS_CHAR_SET_MASK
+        .. c:type:: PINVOKE_FLAGS_CHAR_SET_NOT_SPEC
+        .. c:type:: PINVOKE_FLAGS_CHAR_SET_ANSI       
+        .. c:type:: PINVOKE_FLAGS_CHAR_SET_UNICODE      
+        .. c:type:: PINVOKE_FLAGS_CHAR_SET_AUTO      
+        .. c:type:: PINVOKE_FLAGS_SUPPORT_GET_LAST_ERROR      
+        .. c:type:: PINVOKE_FLAGS_CALL_CONV_MASK      
+        .. c:type:: PINVOKE_FLAGS_CALL_CONV_PLATFORM_API      
+        .. c:type:: PINVOKE_FLAGS_CALL_CONV_CDECL       
+        .. c:type:: PINVOKE_FLAGS_CALL_CONV_STDCALL        
+        .. c:type:: PINVOKE_FLAGS_CALL_CONV_THISCALL        
+        .. c:type:: PINVOKE_FLAGS_CALL_CONV_FASTCALL
+
 .. c:type:: number_of_user_strings
 
     The number of user strings in the file.