capa
capa copied to clipboard
mandiant
dotnet: characteristics
most of the characteristics we emit won't apply to dotnet, so, let's collect ideas for new dotnet characteristics here.
- chracteristic: mixed mode
scope: file
Mixed assemblies are capable of containing both unmanaged machine instructions and MSIL instructions. This allows them to call and be called by .NET components, while retaining compatibility with native C++ libraries. Using mixed assemblies, developers can author applications using a mixture of .NET and native C++ code.
- characteristic: invalid token
scope: (instruction, basic block,) call, function, file
often see this used as an anti-analysis technique aimed to break tooling
also: "invalid string"
- characteristic: p/invoke
scope: (instruction, basic block,) call, function, file
P/Invoke is a technology that allows you to access structs, callbacks, and functions in unmanaged libraries from your managed code.
maybe make this more generic e.g. unmanaged call as there appear to be other ways to invoke unmanaged code from managed that does not require p/invoke
is it worth going through all the [method] flags and turning the relevant ones into characteristics?
Originally posted by @williballenthin in https://github.com/mandiant/capa/pull/958#discussion_r845239977
encountered a protected .NET sample that did not contain a #US stream. This could make for an interesting characteristic used to detect packed/protected/obfuscated .NET but we would need additional research to determine how un/common this is.
something like:
- characteristic: missing user strings
update:
ECMA II.24.2.1: "Each kind of stream shall occur at most once, that is, a meta-data file shall not contain two “#US” streams, or five “#Blob” streams. Streams need not be there if they are empty."