Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Extend dotnet module #1670

Open
wants to merge 20 commits into
base: master
Choose a base branch
from
Open

Conversation

tarterp
Copy link

@tarterp tarterp commented Mar 31, 2022

Overview

This large PR is to extend the dotnet parsing capabilities to look into the .NET directory and MetaData tables further. Not all MetaData tables are being handled, just a few that have been found useful. Further table parsing could be added in the future. This will greatly extend yara capabilities combatting .NET malware that has been previously not available or requiring very complex yara rules.

  • Parse more of the .NET Directory, of most notice being the flags and entry point
  • Parse the following MetaData Tables
    • Module
    • Typeref
    • Method
    • ImplMap

Examples

Two examples are provided below, there are more in the tests and documentation. These examples take advantage of the new feature is_dotnet.

Mixed Mode

import "pe"
import "dotnet"

rule mixed_mode {
    condition:
      pe.is_pe and
      dotnet.is_dotnet and
      dotnet.Flags & dotnet.COMIMAGE_FLAGS_ILONLY == 0
}

MemberRefs with order preference (if only malware was always this easy)

import "pe"
import "dotnet"

rule memberref_order {
  condition:
    pe.is_pe and
    dotnet.is_dotnet and
    for any i in (0..dotnet.number_of_memberrefs - 1): (
        dotnet.memberrefs[i].name == "GetCurrentProcess" and
        dotnet.memberrefs[i+1].name == "AntiDebug" and
        dotnet.memberrefs[i+2].name == "SystemEnumeration" and
        dotnet.memberrefs[i+3].name == "SendHostInfo" and
        dotnet.memberrefs[i+4].name == "HandlerLoop"
    )
}

@google-cla
Copy link

google-cla bot commented Mar 31, 2022

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

For more information, open the CLA check for this pull request.


.. c:type:: minor_runtime_version

The major version contained in the CLI header
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/major/minor/

Copy link
Collaborator

@wxsBSD wxsBSD left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mostly just minor nits with this, but I very much like this PR!


If CORHEADER_NATIVE_ENTRYPOINT is set, entry_point represents an RVA
to a native entrypoint. If CORHEADER_NATIVE_ENTRYPOINT is not set,
entry_point represents a managed entrypoint.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

represents an RVA to a managed entrypoint.

This way it is clear that in both cases it is an RVA.

@@ -53,12 +78,12 @@ Reference
stream object has the following attributes:

.. c:member:: name

Stream name.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: whitespace added here.

Comment on lines 211 to 212


Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: extra newlines here.

docs/modules/dotnet.rst Outdated Show resolved Hide resolved
// ECMA-335 Section II.23.1.10
//
// These three bits contain one of the following values
#define METHOD_FLAGS_MEMBER_ACCESS_MASK 0x0007
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I noticed you're adding this _MASK definition but I'm not sure how useful it will be, as you're really just exposing it as a constant in the module without actually using it anywhere. Can we simplify a bit by removing this construct in the few places you're using it?

libyara/include/yara/dotnet.h Outdated Show resolved Hide resolved
Comment on lines 336 to 339
//
// Manifest Resource Table
// ECMA-335 Section II.22.22
//
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems to be a copy/paste mistake. :)

libyara/modules/dotnet/dotnet.c Outdated Show resolved Hide resolved
libyara/modules/dotnet/dotnet.c Show resolved Hide resolved
tarterp and others added 13 commits April 21, 2022 16:32
When CORHEADER_NATIVE_ENTRYPOINT is not set it doesn't point to an RVA. I specified this better by stating `entry_point represents a metadata token`. Finding the RVA requires parsing the metadata tables for the specified token
Co-authored-by: Wesley Shields <[email protected]>
I had the same thoughts when adding them, I was mocking up ECMA as is, but I agree that if it isn't being used, doesn't need to be present.
Co-authored-by: Wesley Shields <[email protected]>
Co-authored-by: Wesley Shields <[email protected]>
Copy link
Author

@tarterp tarterp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated per comments given.

Copy link
Collaborator

@wxsBSD wxsBSD left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apologies for the delay, this completely slipped off my radar. I just took a quick look through this and it looks good to me!

@plusvic
Copy link
Member

plusvic commented Oct 19, 2022

Looks good to me. The only thing I miss is adding .. versionadded:: 4.3.0 to the new fields in the documentation.

@plusvic plusvic added this to the v4.4 milestone Apr 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants