dotnet module¶
New in version 3.6.0.
The dotnet module allows you to create more fine-grained rules for .NET files by using attributes and features of the .NET file format. Let's see some examples:
import "dotnet"
rule not_exactly_five_streams
{
condition:
dotnet.number_of_streams != 5
}
rule blop_stream
{
condition:
for any i in (0..dotnet.number_of_streams - 1):
(dotnet.streams[i].name == "#Blop")
}
Reference¶
-
type version¶
The version string contained in the metadata root.
Example: dotnet.version == "v2.0.50727"
-
type module_name¶
The name of the module.
Example: dotnet.module_name == "axs"
-
type number_of_streams¶
The number of streams in the file.
-
type streams¶
A zero-based array of stream objects, one for each stream contained in the file. Individual streams can be accessed by using the [] operator. Each stream object has the following attributes:
- name
Stream name.
- offset
Stream offset.
- size
Stream size.
Example: dotnet.streams[0].name == "#~"
-
type number_of_guids¶
The number of GUIDs in the guids array.
-
type guids¶
A zero-based array of strings, one for each GUID. Individual guids can be accessed by using the [] operator.
Example: dotnet.guids[0] == "99c08ffd-f378-a891-10ab-c02fe11be6ef"
-
type number_of_classes¶
- The number of classes in the file.
-
type classes¶
- An array of .NET classes stored in the metadata. Individual classes can be accessed
- using the [] operator. Each class object contains the following attributes:
- fullname
- Class full name.
- name
- Class name.
- namespace
- Class namespace.
- visibility
- Class visibility specifier, options are:
private
public
protected
internal
private protected
protected internal
- type
- Type of the object, options are:
class
interface
- abstract
- Boolean representing if class is abstract.
- sealed
- Boolean representing if class is sealed.
- number_of_generic_parameters
- Number of generic parameters.
- generic_parameters
- A zero-based array of generic parameters name. Individual parameters can be accessed using the [] operator.
- number_of_base_types
- Number of the base types.
- base_types
- A zero-based array of base types name. Individual base types can be accessed using the [] operator.
- number_of_methods
- Number of the methods.
- methods
- A zero-based array of method objects. Individual methods can be accessed by
- using the [] operator. Each object contains following attributes:
- name
- Method name.
- visibility
- Method visibility specifier, options are:
private
public
protected
internal
private protected
protected internal
- static
- Boolean representing if method is static.
- virtual
- Boolean representing if method is virtual.
- final
- Boolean representing if method is final.
- abstract
- Boolean representing if method is abstract.
- return_type
- Method return type name.
- number_of_parameters
- Number of the method parameters.
- parameters
- A zero-based array of method parameters. Individual parameters can be accessed by using the [] operator.
- name
- Parameter name.
- type
- Parameter type.
- number_of_generic_parameters
- Number of the method generic parameters.
- generic_parameters
- A zero-based array of method generic parameters. Individual parameters can be accessed by using the [] operator.
Example: dotnet.classes[0].fullname == "Launcher.Program"
-
type number_of_resources¶
The number of resources in the .NET file. These are different from normal PE resources.
-
type resources¶
A zero-based array of resource objects, one for each resource the .NET file has. Individual resources can be accessed by using the [] operator. Each resource object has the following attributes:
- offset
Offset for the resource data.
- length
Length of the resource data.
- name
Name of the resource (string).
Example: uint16be(dotnet.resources[0].offset) == 0x4d5a
-
type assembly¶
Object for .NET assembly information.
- version
An object with integer values representing version information for this assembly. Attributes are:
major
minor
build_number
revision_number
- name
String containing the assembly name.
- culture
String containing the culture (language/country/region) for this assembly.
Example: dotnet.assembly.name == "Keylogger"
Example: dotnet.assembly.version.major == 7 and dotnet.assembly.version.minor == 0
-
type number_of_modulerefs¶
The number of module references in the .NET file.
-
type modulerefs¶
A zero-based array of strings, one for each module reference the .NET file has. Individual module references can be accessed by using the [] operator.
Example: dotnet.modulerefs[0] == "kernel32"
-
type typelib¶
The typelib of the file.
-
type number_of_constants¶
The number of constants in the .NET file.
-
type constants¶
A zero-based array of strings, one for each constant the .NET file has. Individual constants can be accessed by using the [] operator.
-
type number_of_assembly_refs¶
The number of objects for .NET assembly reference information.
-
type assembly_refs¶
Object for .NET assembly reference information.
- version
An object with integer values representing version information for this assembly. Attributes are:
major
minor
build_number
revision_number
- name
String containing the assembly name.
- public_key_or_token
String containing the public key or token which identifies the author of this assembly.
-
type number_of_user_strings¶
The number of user strings in the file.
-
type user_strings¶
An zero-based array of user strings, one for each stream contained in the file. Individual strings can be accessed by using the [] operator.
-
type number_of_field_offsets¶
The number of fields in the field_offsets array.
-
type field_offsets¶
A zero-based array of integers, one for each field. Individual field offsets can be accessed by using the [] operator.
Example: dotnet.field_offsets[0] == 8675309
-
type is_dotnet¶
New in version 4.2.0.
Function returning true if the PE is indeed .NET.
Example: dotnet.is_dotnet