dotnet module

New in version 3.6.0.

The dotnet module allows you to create more fine-grained rules for .NET files by using attributes and features of the .NET file format. Let's see some examples:

import "dotnet"

rule not_exactly_five_streams
{
    condition:
        dotnet.number_of_streams != 5
}

rule blop_stream
{
    condition:
        for any i in (0..dotnet.number_of_streams - 1):
            (dotnet.streams[i].name == "#Blop")
}

Reference

version

The version string contained in the metadata root.

Example: dotnet.version == "v2.0.50727"

module_name

The name of the module.

Example: dotnet.module_name == "axs"

number_of_streams

The number of streams in the file.

streams

A zero-based array of stream objects, one for each stream contained in the file. Individual streams can be accessed by using the [] operator. Each stream object has the following attributes:

name

Stream name.

offset

Stream offset.

size

Stream size.

Example: dotnet.streams[0].name == "#~"

number_of_guids

The number of GUIDs in the guids array.

guids

A zero-based array of strings, one for each GUID. Individual guids can be accessed by using the [] operator.

Example: dotnet.guids[0] == "99c08ffd-f378-a891-10ab-c02fe11be6ef"

number_of_resources

The number of resources in the .NET file. These are different from normal PE resources.

resources

A zero-based array of resource objects, one for each resource the .NET file has. Individual resources can be accessed by using the [] operator. Each resource object has the following attributes:

offset

Offset for the resource data.

length

Length of the resource data.

name

Name of the resource (string).

Example: uint16be(dotnet.resources[0].offset) == 0x4d5a

assembly

Object for .NET assembly information.

version

An object with integer values representing version information for this assembly. Attributes are:

major minor build_number revision_number

name

String containing the assembly name.

culture

String containing the culture (language/country/region) for this assembly.

Example: dotnet.assembly.name == "Keylogger"

Example: dotnet.assembly.version.major == 7 and dotnet.assembly.version.minor == 0

number_of_modulerefs

The number of module references in the .NET file.

modulerefs

A zero-based array of strings, one for each module reference the .NET file has. Individual module references can be accessed by using the [] operator.

Example: dotnet.modulerefs[0] == "kernel32"

typelib

The typelib of the file.

assembly_refs

Object for .NET assembly reference information.

version

An object with integer values representing version information for this assembly. Attributes are:

major minor build_number revision_number

name

String containing the assembly name.

public_key_or_token

String containing the public key or token which identifies the author of this assembly.

number_of_user_strings

The number of user strings in the file.

user_strings

An zero-based array of user strings, one for each stream contained in the file. Individual strings can be accessed by using the [] operator.

number_of_field_offsets

The number of fields in the field_offsets array.

field_offsets

A zero-based array of integers, one for each field. Individual field offsets can be accessed by using the [] operator.

Example: dotnet.field_offsets[0] == 8675309