1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
|
.. _dotnet-module:
#############
dotnet module
#############
.. versionadded:: 3.6.0
The dotnet module allows you to create more fine-grained rules for .NET files by
using attributes and features of the .NET file format. Let's see some examples:
.. code-block:: yara
import "dotnet"
rule not_exactly_five_streams
{
condition:
dotnet.number_of_streams != 5
}
rule blop_stream
{
condition:
for any i in (0..dotnet.number_of_streams - 1):
(dotnet.streams[i].name == "#Blop")
}
Reference
---------
.. c:type:: version
The version string contained in the metadata root.
*Example: dotnet.version == "v2.0.50727"*
.. c:type:: module_name
The name of the module.
*Example: dotnet.module_name == "axs"*
.. c:type:: number_of_streams
The number of streams in the file.
.. c:type:: streams
A zero-based array of stream objects, one for each stream contained in the
file. Individual streams can be accessed by using the [] operator. Each
stream object has the following attributes:
.. c:member:: name
Stream name.
.. c:member:: offset
Stream offset.
.. c:member:: size
Stream size.
*Example: dotnet.streams[0].name == "#~"*
.. c:type:: number_of_guids
The number of GUIDs in the guids array.
.. c:type:: guids
A zero-based array of strings, one for each GUID. Individual guids can be
accessed by using the [] operator.
*Example: dotnet.guids[0] == "99c08ffd-f378-a891-10ab-c02fe11be6ef"*
.. c:type:: number_of_classes
The number of classes in the file.
.. c:type:: classes
An array of .NET classes stored in the metadata. Individual classes can be accessed
using the [] operator. Each class object contains the following attributes:
.. c:member:: fullname
Class full name.
.. c:member:: name
Class name.
.. c:member:: namespace
Class namespace.
.. c:member:: visibility
Class visibility specifier, options are:
``private``
``public``
``protected``
``internal``
``private protected``
``protected internal``
.. c:member:: type
Type of the object, options are:
``class``
``interface``
.. c:member:: abstract
Boolean representing if class is abstract.
.. c:member:: sealed
Boolean representing if class is sealed.
.. c:member:: number_of_generic_parameters
Number of generic parameters.
.. c:member:: generic_parameters
A zero-based array of generic parameters name. Individual parameters can be accessed using the [] operator.
.. c:member:: number_of_base_types
Number of the base types.
.. c:member:: base_types
A zero-based array of base types name. Individual base types can be accessed using the [] operator.
.. c:member:: number_of_methods
Number of the methods.
.. c:member:: methods
A zero-based array of method objects. Individual methods can be accessed by
using the [] operator. Each object contains following attributes:
.. c:member:: name
Method name.
.. c:member:: visibility
Method visibility specifier, options are:
``private``
``public``
``protected``
``internal``
``private protected``
``protected internal``
.. c:member:: static
Boolean representing if method is static.
.. c:member:: virtual
Boolean representing if method is virtual.
.. c:member:: final
Boolean representing if method is final.
.. c:member:: abstract
Boolean representing if method is abstract.
.. c:member:: return_type
Method return type name.
.. c:member:: number_of_parameters
Number of the method parameters.
.. c:member:: parameters
A zero-based array of method parameters. Individual parameters can be accessed by using the [] operator.
.. c:member:: name
Parameter name.
.. c:member:: type
Parameter type.
.. c:member:: number_of_generic_parameters
Number of the method generic parameters.
.. c:member:: generic_parameters
A zero-based array of method generic parameters. Individual parameters can be accessed by using the [] operator.
*Example: dotnet.classes[0].fullname == "Launcher.Program"*
.. c:type:: number_of_resources
The number of resources in the .NET file. These are different from normal PE
resources.
.. c:type:: resources
A zero-based array of resource objects, one for each resource the .NET file
has. Individual resources can be accessed by using the [] operator. Each
resource object has the following attributes:
.. c:member:: offset
Offset for the resource data.
.. c:member:: length
Length of the resource data.
.. c:member:: name
Name of the resource (string).
*Example: uint16be(dotnet.resources[0].offset) == 0x4d5a*
.. c:type:: assembly
Object for .NET assembly information.
.. c:member:: version
An object with integer values representing version information for this
assembly. Attributes are:
``major``
``minor``
``build_number``
``revision_number``
.. c:member:: name
String containing the assembly name.
.. c:member:: culture
String containing the culture (language/country/region) for this
assembly.
*Example: dotnet.assembly.name == "Keylogger"*
*Example: dotnet.assembly.version.major == 7 and dotnet.assembly.version.minor == 0*
.. c:type:: number_of_modulerefs
The number of module references in the .NET file.
.. c:type:: modulerefs
A zero-based array of strings, one for each module reference the .NET file
has. Individual module references can be accessed by using the []
operator.
*Example: dotnet.modulerefs[0] == "kernel32"*
.. c:type:: typelib
The typelib of the file.
.. c:type:: number_of_constants
The number of constants in the .NET file.
.. c:type:: constants
A zero-based array of strings, one for each constant the .NET file has.
Individual constants can be accessed by using the [] operator.
.. c:type:: number_of_assembly_refs
The number of objects for .NET assembly reference information.
.. c:type:: assembly_refs
Object for .NET assembly reference information.
.. c:member:: version
An object with integer values representing version information for this
assembly. Attributes are:
``major``
``minor``
``build_number``
``revision_number``
.. c:member:: name
String containing the assembly name.
.. c:member:: public_key_or_token
String containing the public key or token which identifies the author of
this assembly.
.. c:type:: number_of_user_strings
The number of user strings in the file.
.. c:type:: user_strings
An zero-based array of user strings, one for each stream contained in the
file. Individual strings can be accessed by using the [] operator.
.. c:type:: number_of_field_offsets
The number of fields in the field_offsets array.
.. c:type:: field_offsets
A zero-based array of integers, one for each field. Individual field offsets
can be accessed by using the [] operator.
*Example: dotnet.field_offsets[0] == 8675309*
.. c:type:: is_dotnet
.. versionadded:: 4.2.0
Function returning true if the PE is indeed .NET.
*Example: dotnet.is_dotnet*
|
