capa icon indicating copy to clipboard operation
capa copied to clipboard

Published 20 hours ago verified publisher icon mandiant

dotnet: handle dotnet resources

Open williballenthin opened this issue 2 years ago • 3 comments

  • [x] need to learn how to parse them (dnfile)
  • [x] need to learn how to reason about them
  • [ ] need to extract features for them

williballenthin avatar Apr 04 '22 17:04 williballenthin

resource parsing was recently added to dnfile so we can check off the first item, see https://github.com/malwarefrank/dnfile/pull/46

mike-hunhoff avatar May 02 '22 19:05 mike-hunhoff

malwarefrank has a good breakdown of .NET resources here.

Here are my thoughts on opportunities to emit features/reasoning from .NET resources:

  1. emit resource names as a new resource feature (extend to other platforms?)
  2. emit a new characteristic('has resource') or similar (extend to other platforms?)
  3. emit characteristic('embedded pe') for both raw resource and applicable resource set types
  4. emit class and namespace features from types defined in resource sets

Thoughts @mr-tz and @williballenthin ?

mike-hunhoff avatar Dec 16 '22 22:12 mike-hunhoff

All of these sound good to me. For 2. we currently have a rule contain a resource (.rsrc) section which is noisy. With these improvements we may be able to better filter out standard resources (manifests) and write better rules for resource names/types.

mr-tz avatar Dec 19 '22 10:12 mr-tz