flare-floss icon indicating copy to clipboard operation
flare-floss copied to clipboard

Published 20 hours ago verified publisher icon mandiant

Indicate .NET, packed or other binaries FLOSS doesn't handle well

Open mr-tz opened this issue 4 years ago • 1 comments

Warn users similar to capa. Arose in issue #346

mr-tz avatar Jan 04 '21 12:01 mr-tz

could use capa for this

williballenthin avatar Jun 09 '21 20:06 williballenthin

Hey @williballenthin, could you please link some resources to reference for the implementation of dotnet detection (such as the capa PR that added this)? I think we could extend the language_identifier module to detect dotnet binaries as well.

Maybe we could use the CLR header in the .text section of dotnet PE files (I read about it from here: https://www.red-gate.com/simple-talk/blogs/anatomy-of-a-net-assembly-pe-headers/). Still not sure about how to get the version though.

symbolicvoid avatar Jun 06 '23 08:06 symbolicvoid

Yes, good idea. capa uses dnfile for this: https://github.com/mandiant/capa/blob/master/capa/features/extractors/dotnetfile.py#L184-L185. There was a discussion on recognizing the version, but it was deemed challenging IIRC. Just identifying .NET binaries would be a great start though.

mr-tz avatar Jun 06 '23 09:06 mr-tz