Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extend dotnet module #1670

Open
wants to merge 20 commits into
base: master
Choose a base branch
from
Open

Extend dotnet module #1670

wants to merge 20 commits into from
+819 −11

Conversation

tarterp
Copy link

@tarterp tarterp commented Mar 31, 2022

Overview

This large PR is to extend the dotnet parsing capabilities to look into the .NET directory and MetaData tables further. Not all MetaData tables are being handled, just a few that have been found useful. Further table parsing could be added in the future. This will greatly extend yara capabilities combatting .NET malware that has been previously not available or requiring very complex yara rules.

  • Parse more of the .NET Directory, of most notice being the flags and entry point
  • Parse the following MetaData Tables
    • Module
    • Typeref
    • Method
    • ImplMap

Examples

Two examples are provided below, there are more in the tests and documentation. These examples take advantage of the new feature is_dotnet.

Mixed Mode

import "pe"
import "dotnet"

rule mixed_mode {
    condition:
      pe.is_pe and
      dotnet.is_dotnet and
      dotnet.Flags & dotnet.COMIMAGE_FLAGS_ILONLY == 0
}

MemberRefs with order preference (if only malware was always this easy)

import "pe"
import "dotnet"

rule memberref_order {
  condition:
    pe.is_pe and
    dotnet.is_dotnet and
    for any i in (0..dotnet.number_of_memberrefs - 1): (
        dotnet.memberrefs[i].name == "GetCurrentProcess" and
        dotnet.memberrefs[i+1].name == "AntiDebug" and
        dotnet.memberrefs[i+2].name == "SystemEnumeration" and
        dotnet.memberrefs[i+3].name == "SendHostInfo" and
        dotnet.memberrefs[i+4].name == "HandlerLoop"
    )
}

@google-cla
Copy link

google-cla bot commented Mar 31, 2022

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

For more information, open the CLA check for this pull request.

wxsBSD
wxsBSD reviewed Apr 21, 2022
View reviewed changes
docs/modules/dotnet.rst Outdated

.. c:type:: minor_runtime_version

The major version contained in the CLI header
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/major/minor/

wxsBSD
wxsBSD reviewed Apr 21, 2022
View reviewed changes
Copy link
Collaborator

@wxsBSD wxsBSD left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mostly just minor nits with this, but I very much like this PR!

docs/modules/dotnet.rst Outdated

If CORHEADER_NATIVE_ENTRYPOINT is set, entry_point represents an RVA
to a native entrypoint. If CORHEADER_NATIVE_ENTRYPOINT is not set,
entry_point represents a managed entrypoint.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

represents an RVA to a managed entrypoint.

This way it is clear that in both cases it is an RVA.

docs/modules/dotnet.rst Outdated
@@ -53,12 +78,12 @@ Reference
stream object has the following attributes:

.. c:member:: name

Stream name.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: whitespace added here.

docs/modules/dotnet.rst Outdated
Comment on lines 211 to 212


Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: extra newlines here.

docs/modules/dotnet.rst Outdated Show resolved Hide resolved
libyara/include/yara/dotnet.h Outdated
// ECMA-335 Section II.23.1.10
//
// These three bits contain one of the following values
#define METHOD_FLAGS_MEMBER_ACCESS_MASK 0x0007
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I noticed you're adding this _MASK definition but I'm not sure how useful it will be, as you're really just exposing it as a constant in the module without actually using it anywhere. Can we simplify a bit by removing this construct in the few places you're using it?

libyara/include/yara/dotnet.h Outdated Show resolved Hide resolved
libyara/include/yara/dotnet.h Outdated
Comment on lines 336 to 339
//
// Manifest Resource Table
// ECMA-335 Section II.22.22
//
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems to be a copy/paste mistake. :)

libyara/modules/dotnet/dotnet.c Outdated Show resolved Hide resolved
libyara/modules/dotnet/dotnet.c Show resolved Hide resolved
tarterp and others added 13 commits April 21, 2022 16:32
@tarterp
s/major/minor/
7a03749
@tarterp
specify entry_point cases
b869c89 
When CORHEADER_NATIVE_ENTRYPOINT is not set it doesn't point to an RVA. I specified this better by stating `entry_point represents a metadata token`. Finding the RVA requires parsing the metadata tables for the specified token
@tarterp
grammar and fix whitespace
8b3e6a9
@tarterp
removed extra whitespace
82bca01
@tarterp @wxsBSD
grammar fix
d6758f5 
Co-authored-by: Wesley Shields <[email protected]>
@tarterp
removed unreferenced *_MASK #defines
0c6f465 
I had the same thoughts when adding them, I was mocking up ECMA as is, but I agree that if it isn't being used, doesn't need to be present.
@tarterp @wxsBSD
typedef syntax format fix
d521662 
Co-authored-by: Wesley Shields <[email protected]>
@tarterp
fixed ECMA ImplMap comment
ce47116
@tarterp @wxsBSD
grammar fix
0d932a9 
Co-authored-by: Wesley Shields <[email protected]>
@tarterp
remove *_MASK
6a8b515
@tarterp
Merge branch 'extend_dotnet_module' of https://github.com/mandiant/yara
446cc18 
… into extend_dotnet_module
@tarterp
remove *_MASK
b980784
@tarterp
added counter for memberref and typeref
97df9be
tarterp
tarterp commented Apr 22, 2022
View reviewed changes
Copy link
Author

@tarterp tarterp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated per comments given.

wxsBSD
wxsBSD approved these changes Aug 29, 2022
View reviewed changes
Copy link
Collaborator

@wxsBSD wxsBSD left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apologies for the delay, this completely slipped off my radar. I just took a quick look through this and it looks good to me!

@plusvic
Copy link
Member

plusvic commented Oct 19, 2022

Looks good to me. The only thing I miss is adding .. versionadded:: 4.3.0 to the new fields in the documentation.

@plusvic plusvic added this to the v4.4 milestone Apr 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wxsBSD wxsBSD wxsBSD approved these changes

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v4.4
Development

Successfully merging this pull request may close these issues.
3 participants
@tarterp @plusvic @wxsBSD