dotnet: extract array data

[mike-hunhoff]

see https://github.com/mandiant/capa-rules/issues/591.

we can probably use existing bytes feature for this.

[williballenthin]

agree that using bytes makes sense for a u8 array. not sure what to do for non-u8 arrays, or if this even matters in the real world? i suppose for things like u32 arrays we could serialize them into a bytes sequence as might be done in native code.

[mike-hunhoff]

hmmm we could allow users to specify array type, supporting a subset like un/signed 8-, 16-, 32-, 64-bit integers?

- array[int]: -1, 0, 1, 2
- array[uchar]: 0x41, 0x42, 0x43

- array/int: -1, 0, 1, 2
- array/uchar: 0x41, 0x42, 0x43

- list[s32]: -1, 0, 1, 2
- list[u8]: 0x41, 0x42, 0x43

- list/s32: -1, 0, 1, 2
- list/u8: 0x41, 0x42, 0x43 

do we allow substring-like functionality?

- subarray[int]: -1, 0, 1, 2
- subarray[uchar]: 0x41, 0x42, 0x43

- subarray/int: -1, 0, 1, 2
- subarray/uchar: 0x41, 0x42, 0x43

- sublist[s32]: -1, 0, 1, 2
- sublist[u8]: 0x41, 0x42, 0x43

- sublist/s32: -1, 0, 1, 2
- sublist/u8: 0x41, 0x42, 0x43

we could serialize everything to bytes under the hood to make matching less complicated?

[mike-hunhoff]

I like the following the most out of the example formats shown above (I like list because shorter):

- list[s32]: -1, 0, 1, 2
- list[u8]: 0x41, 0x42, 0x43

- sublist[s32]: -1, 0, 1, 2
- sublist[u8]: 0x41, 0x42, 0x43

[mike-hunhoff]

Adding support for arrays would be a nice addition for both .NET and future scripting language support (#779).

[williballenthin]

lets enumerate some concrete examples of rules that we could compose with these features (especially non-u8 arrays). agree that the above look nice so far.

[mike-hunhoff]

• https://learn.microsoft.com/en-us/dotnet/api/system.runtime.compilerservices.runtimehelpers.initializearray?view=net-7.0

Provides a fast way to initialize an array from data that is stored in a module.

Used to load obfuscated string stored in static array.