dotnet module

New in version 3.6.0.

The dotnet module allows you to create more fine-grained rules for .NET files by using attributes and features of the .NET file format. Let's see some examples:

import "dotnet"

rule not_exactly_five_streams
{
    condition:
        dotnet.number_of_streams != 5
}

rule blop_stream
{
    condition:
        for any i in (0..dotnet.number_of_streams - 1):
            (dotnet.streams[i].name == "#Blop")
}

Reference

version

The version string contained in the metadata root.

Example: dotnet.version == "v2.0.50727"

module_name

The name of the module.

Example: dotnet.module_name == "axs"

number_of_streams

The number of streams in the file.

streams

A zero-based array of stream objects, one for each stream contained in the file. Individual streams can be accessed by using the [] operator. Each stream object has the following attributes:

name

Stream name.

offset

Stream offset.

size

Stream size.

Example: dotnet.streams[0].name == "#~"

number_of_guids

The number of GUIDs in the guids array.

guids

A zero-based array of strings, one for each GUID. Individual guids can be accessed by using the [] operator.

Example: dotnet.guids[0] == "99c08ffd-f378-a891-10ab-c02fe11be6ef"

number_of_classes

The number of classes in the file.

classes

An array of .NET classes stored in the metadata. Individual classes can be accessed

using the [] operator. Each class object contains the following attributes:

fullname

Class full name.

name

Class name.

namespace

Class namespace.

visibility

Class visibility specifier, options are:

private public protected internal private protected protected internal

type

Type of the object, options are:

class interface

abstract

Boolean representing if class is abstract.

sealed

Boolean representing if class is sealed.

number_of_generic_parameters

Number of generic parameters.

generic_parameters

A zero-based array of generic parameters name. Individual parameters can be accessed using the [] operator.

number_of_base_types

Number of the base types.

base_types

A zero-based array of base types name. Individual base types can be accessed using the [] operator.

number_of_methods

Number of the methods.

methods

A zero-based array of method objects. Individual methods can be accessed by

using the [] operator. Each object contains following attributes:

name

Method name.

visibility

Method visibility specifier, options are:

private public protected internal private protected protected internal

static

Boolean representing if method is static.

virtual

Boolean representing if method is virtual.

final

Boolean representing if method is final.

abstract

Boolean representing if method is abstract.

return_type

Method return type name.

number_of_parameters

Number of the method parameters.

parameters

A zero-based array of method parameters. Individual parameters can be accessed by using the [] operator.

name

Parameter name.

type

Parameter type.

number_of_generic_parameters

Number of the method generic parameters.

generic_parameters

A zero-based array of method generic parameters. Individual parameters can be accessed by using the [] operator.

Example: dotnet.classes[0].fullname == "Launcher.Program"

number_of_resources

The number of resources in the .NET file. These are different from normal PE resources.

resources

A zero-based array of resource objects, one for each resource the .NET file has. Individual resources can be accessed by using the [] operator. Each resource object has the following attributes:

offset

Offset for the resource data.

length

Length of the resource data.

name

Name of the resource (string).

Example: uint16be(dotnet.resources[0].offset) == 0x4d5a

assembly

Object for .NET assembly information.

version

An object with integer values representing version information for this assembly. Attributes are:

major minor build_number revision_number

name

String containing the assembly name.

culture

String containing the culture (language/country/region) for this assembly.

Example: dotnet.assembly.name == "Keylogger"

Example: dotnet.assembly.version.major == 7 and dotnet.assembly.version.minor == 0

number_of_modulerefs

The number of module references in the .NET file.

modulerefs

A zero-based array of strings, one for each module reference the .NET file has. Individual module references can be accessed by using the [] operator.

Example: dotnet.modulerefs[0] == "kernel32"

typelib

The typelib of the file.

number_of_constants

The number of constants in the .NET file.

constants

A zero-based array of strings, one for each constant the .NET file has. Individual constants can be accessed by using the [] operator.

number_of_assembly_refs

The number of objects for .NET assembly reference information.

assembly_refs

Object for .NET assembly reference information.

version

An object with integer values representing version information for this assembly. Attributes are:

major minor build_number revision_number

name

String containing the assembly name.

public_key_or_token

String containing the public key or token which identifies the author of this assembly.

number_of_user_strings

The number of user strings in the file.

user_strings

An zero-based array of user strings, one for each stream contained in the file. Individual strings can be accessed by using the [] operator.

number_of_field_offsets

The number of fields in the field_offsets array.

field_offsets

A zero-based array of integers, one for each field. Individual field offsets can be accessed by using the [] operator.

Example: dotnet.field_offsets[0] == 8675309

is_dotnet

New in version 4.2.0.

Function returning true if the PE is indeed .NET.

Example: dotnet.is_dotnet