dnfile
dnfile copied to clipboard
malwarefrank
Parse .NET executable files.
I was wondering if you'd be interested by this error, caused by [this file](https://www.virustotal.com/gui/file/e94f7c475e7db0691a2698b5dd349c2b412ffddafa7a3ff85785cbd5ac144fcb). I found it using CAPA, with dnfile 0.14.1, but it also triggers on 0.15.0. ```python >>>...
The GUIDS stream is easily iterable since all items must be exact 32 bytes long and can only be referenced in that fashion. So it should be easy to make...
There may be useful parsing information in the dotnet (.NET) runtime vs ECMA-335 specification documentation: https://github.com/dotnet/runtime/tree/main/docs/design/specs
GitHub action recommends using a Trusted Publisher instead of API tokens in workflows to push to pypi. And the pypi documentation strongly recommends using a GitHub environment. https://docs.pypi.org/trusted-publishers/using-a-publisher/
Parse the Method data (pointed to by RVA, see mdtable.MethodDefRow), as much as is needed to perform data-agnostic computation over the bytecode (cryptographic and fuzzy hashes, entropy, value distributions, etc)....
Method (and field, and ...) signatures are represented by data in a custom binary format that is stored in the `#Blob` stream. The best references I've found for parsing this...
Requesting that you add the ability to parse BMP images stored as entries within the .NET resources. Sample: https://www.virustotal.com/gui/file/0a5dc3b6669cf31e8536c59fe1315918eb4ecfd87998445e2eeb8fed64bd2f2c dnfile properly identified the resource names and types but the data...
Submitting a request to have things like strings, user_strings, and GUIDs processed when dnfile first loads an executable. Basically implementing the code provided in the following example into dnfile: https://github.com/malwarefrank/dnfile/blob/b2a24c5eb46995a739c7bb5f626d6f4052ccb753/examples/dnstrings.py...
The UserStrings can be UTF-16-LE encoded values with "odd" surrogate code points. Per the [Wikipedia page](https://en.wikipedia.org/wiki/UTF-16#U+D800_to_U+DFFF_(surrogates)) on UTF-16: > The official Unicode standard says that no UTF forms, including UTF-16,...
