dotnet module¶
New in version 3.6.0.
The dotnet module allows you to create more fine-grained rules for .NET files by using attributes and features of the .NET file format. Let’s see some examples:
import "dotnet"
rule not_exactly_five_streams
{
condition:
dotnet.number_of_streams != 5
}
rule blop_stream
{
condition:
for any i in (0..dotnet.number_of_streams - 1):
(dotnet.streams[i].name == "#Blop")
}
Reference¶
-
version
¶ The version string contained in the metadata root.
Example: dotnet.version == “v2.0.50727”
-
module_name
¶ The name of the module.
Example: dotnet.module_name == “axs”
-
number_of_streams
¶ The number of streams in the file.
-
streams
¶ A zero-based array of stream objects, one for each stream contained in the file. Individual streams can be accessed by using the [] operator. Each stream object has the following attributes:
-
name
¶ Stream name.
-
offset
¶ Stream offset.
-
size
¶ Stream size.
Example: dotnet.streams[0].name == “#~”
-
-
number_of_guids
¶ The number of GUIDs in the guids array.
-
guids
¶ A zero-based array of strings, one for each GUID. Individual guids can be accessed by using the [] operator.
Example: dotnet.guids[0] == “99c08ffd-f378-a891-10ab-c02fe11be6ef”
-
number_of_resources
¶ The number of resources in the .NET file. These are different from normal PE resources.
-
resources
¶ A zero-based array of resource objects, one for each resource the .NET file has. Individual resources can be accessed by using the [] operator. Each resource object has the following attributes:
-
offset
¶ Offset for the resource data.
-
length
¶ Length of the resource data.
-
name
¶ Name of the resource (string).
Example: uint16be(dotnet.resources[0].offset) == 0x4d5a
-
-
assembly
¶ Object for .NET assembly information.
-
version
¶ An object with integer values representing version information for this assembly. Attributes are:
major
minor
build_number
revision_number
-
name
¶ String containing the assembly name.
-
culture
¶ String containing the culture (language/country/region) for this assembly.
Example: dotnet.assembly.name == “Keylogger”
Example: dotnet.assembly.version.major == 7 and dotnet.assembly.version.minor == 0
-
-
number_of_modulerefs
¶ The number of module references in the .NET file.
-
modulerefs
¶ A zero-based array of strings, one for each module reference the .NET file has. Individual module references can be accessed by using the [] operator.
Example: dotnet.modulerefs[0] == “kernel32”
-
typelib
¶ The typelib of the file.
-
assembly_refs
¶ Object for .NET assembly reference information.
-
version
¶ An object with integer values representing version information for this assembly. Attributes are:
major
minor
build_number
revision_number
-
name
¶ String containing the assembly name.
-
public_key_or_token
¶ String containing the public key or token which identifies the author of this assembly. assembly.
-
-
number_of_user_strings
¶ The number of user strings in the file.
-
user_strings
¶ An zero-based array of user strings, one for each stream contained in the file. Individual strings can be accessed by using the [] operator.