Mike Hunhoff

Results 117 comments of Mike Hunhoff

dotnet: handle dotnet resources

resource parsing was recently added to dnfile so we can check off the first item, see https://github.com/malwarefrank/dnfile/pull/46

C# code to features

Do you imagine we treat option `B` as: 1. regex expression to execute over source code 2. source code from which capa extracts features for matching (essentially option A integrated...

dotnet: consider emitting references to types

track `CIL` instructions: - `newobj`: https://docs.microsoft.com/en-us/dotnet/api/system.reflection.emit.opcodes.newobj?view=net-6.0 - `castclass`: https://docs.microsoft.com/en-us/dotnet/api/system.reflection.emit.opcodes.castclass?view=net-6.0 - `initobj`: https://docs.microsoft.com/en-us/dotnet/api/system.reflection.emit.opcodes.initobj?view=net-6.0 - `newarr`: https://docs.microsoft.com/en-us/dotnet/api/system.reflection.emit.opcodes.newarr?view=net-6.0 - `box`: https://docs.microsoft.com/en-us/dotnet/api/system.reflection.emit.opcodes.box?view=net-6.0 - `constrained`: https://docs.microsoft.com/en-us/dotnet/api/system.reflection.emit.opcodes.constrained?view=net-6.0 - `cpobj`: https://docs.microsoft.com/en-us/dotnet/api/system.reflection.emit.opcodes.cpobj?view=net-6.0 - `isinst`: https://docs.microsoft.com/en-us/dotnet/api/system.reflection.emit.opcodes.isinst?view=net-6.0 - `ldelem`: https://docs.microsoft.com/en-us/dotnet/api/system.reflection.emit.opcodes.ldelem?view=net-6.0...

dotnet: consider emitting references to types

we may be able to emit `namespace` and `class` features for type references, like we do for method calls e.g. ``` ... newobj instance void [System]System.Uri::.ctor(string) ... newobj instance void...

dotnet: consider emitting references to types

the proposal above does not allow us to capture object creation e.g. ``` ... newobj instance void [mscorlib]System.Threading.Mutex::.ctor(bool, string, bool&) ``` we could emit this as a new `type` feature,...

dotnet: consider emitting references to types

another use case for an `instance` feature: ``` ... newobj instance void [mscorlib]System.Reflection.Emit.DynamicMethod::.ctor(string, class [mscorlib]System.Type, class [mscorlib]System.Type[], class [mscorlib]System.Type, bool) ``` ```yaml - namespace: System.Reflection.Emit - class: System.Reflection.Emit.DynamicMethod - instance:...

dotnet: consider emitting references to types

Chatted with @adamstorek offline about the ability to distinguish object instantiation in capa rules. This is especially important when analyzing scripting languages e.g. ```C# ... new System.Threading.Mutex(); ``` which we...

Add Property Feature.

We had two projects (#1080 and #1122) developing this code so to avoid duplicating work we asked @adamstorek to open a PR containing his implementation. This allowed both projects to...

Add Property Feature.

This PR is outdated due to recent changes resulting from #1142 . Required updates were made to #1168 branched from #1122 branched from here so we are closing this PR.

Consider adding heapstring characteristic?

nice catch - I wonder if we should consider rebranding `characteristic: stack string` as something like `characteristic: dynamic string` or `characteristic: obfuscated string`: pros: - cover more cases, like this,...