YARA-X

dotnet

The dotnet module allows you to create more fine-grained rules for .NET files by using attributes and features of the .NET file format. Let’s see some examples:

import "dotnet"

rule GetHashCodeMethod {
    condition:
        for any class in dotnet.classes : (
           for any method in class.methods : (
                method.name == "GetHashCode" and
                method.visibility == "public"
           )
        )
}

rule BlopStream {
    condition:
        for any stream in dotnet.streams :( 
            stream.name == "#Blop"
        )
}

Module structure

FieldType
is_dotnetbool
module_namestring
versionstring
number_of_streamsinteger
number_of_guidsinteger
number_of_resourcesinteger
number_of_generic_parametersinteger
number_of_classesinteger
number_of_assembly_refsinteger
number_of_modulerefsinteger
number_of_user_stringsinteger
number_of_constantsinteger
number_of_field_offsetsinteger
typelibstring
streamsStream array
guidsstring array
constantsstring array
assemblyAssembly array
assembly_refsAssemblyRef array
resourcesResource array
classesClass array
field_offsetsinteger array
user_stringsstring array
modulerefsstring array

Assembly

This is the structure in the assembly field, which contains general information about the .NET assembly.

FieldType
namestring
culturestring
versionVersion

Example

import "dotnet"

rule RDMCOLib {
    condition:
        dotnet.assembly.name == "Interop.RDMCOLib"
}

AssemblyRef

This is the structure of each item in the assembly_refs array.

FieldType
namestring
public_key_or_tokenstring
versionVersion

Example

import "dotnet"

rule WindowsFirewallHelper {
    condition:
        for any ref in dotnet.assembly_refs : (
            ref.name == "WindowsFirewallHelper" and
            ref.version.major == 4
        )
}

Class

This is the structure of each item in the classes array.

FieldType
fullnamestring
namestring
namespacestring
visibilitystring
typestring
abstractbool
sealedbool
number_of_base_typesinteger
number_of_generic_parametersinteger
number_of_methodsinteger
base_typesstring array
generic_parametersstring array
methodsMethod array

Example

import "dotnet"

rule DebugInfoInPDBAttribute {
    condition:
        for any class in dotnet.classes : (
           class.fullname == "Microsoft.VisualC.DebugInfoInPDBAttribute"
        )
}

Method

This is the structure of each item in the methods array within each Class.

FieldType
namestring
visibilitystring
abstractbool
staticbool
virtualbool
finalbool
return_typestring
number_of_generic_parametersinteger
number_of_parametersinteger
generic_parametersstring array
parametersParam array

Example

import "dotnet"

rule GetHashCode {
    condition:
        for any class in dotnet.classes : (
           for any method in class.methods : (
                method.name == "GetHashCode" and
                method.visibility == "public"
           )
        )
}

Param

This is the structure of each item in the parameters array within each Method.

FieldType
namestring
typestring

Example

import "dotnet"

rule FreezeEvents {
    condition:
        for any class in dotnet.classes : (
           for any method in class.methods : (
                for any param in method.parameters : (
                    param.name == "pFreezeEvents" 
                )
           )
        )
}

Resource

This is the structure of each item in the resources array.

FieldType
offsetinteger
lengthinteger
namestring

Example

import "dotnet"

rule TurboPing {
    condition:
        for any res in dotnet.resources : (
           res.name startswith "TurboPing"
        )
}

Stream

This is the structure of each item in the streams array.

FieldType
namestring
offsetinteger
sizeinteger

Example

import "dotnet"

rule DarksProtector {
    condition:
        for any stream in dotnet.streams : (
           stream.name == "DarksProtector"
        )
}

Version

FieldType
majorinteger
minorinteger
build_numberinteger
revision_numberinteger
Prev
lnk
Next
macho