cylance / getnetguids Goto Github PK

Hi Brian! As promised, with only a year's delay 😊 , a bug report on a sample. GetNETGUIDs reports:

monodis is reporting:

.module Stealer_.exe // GUID = {4E0B13F0-8B06-4380-8BBA-A0B5A9783498}

However, when I use a disassembler such as IlSpy or JustDecompile, they both report:

[assembly: Guid("bfc92ab4-fba6-4186-b6c1-331ba216e7fc")]

In case this is relevant, the file is obfuscated with SmartAssembly. I'm not entirely sure what's wrong here and neither if it's at all related to a bug with GetNETGUIDs.

monodis reports .module smaan.exe // GUID = {61AA2627-BF95-41AB-B214-7A0E7BBE629C}

getnetguids.py reports d947a3c6-2102-4714-b03a-483b2103713f

https://twitter.com/wxs/status/668266345625088000

Wesley Shields @wxs
getnetguids is broken for multiple metadata magic values (embedded binaries). e.g: a6aa53ce8dd5ffd7606ec7e943af41eb (CC: @botnet_hunter)

GetNETGUIDs:
622281ed-4093-47bd-b203-ffc09e73e021 d0c8d5d3-5c16-4fa9-aeb0-c230e06885a7 0a9258eae701157b8b9f4086eeb98e407e8d59c02fb464cc67652c4f1edd9d94

monodis 0a9258eae701157b8b9f4086eeb98e407e8d59c02fb464cc67652c4f1edd9d94.exe | grep GUID
.module Server.exe // GUID = {B60D9367-1A45-4565-96B0-53F2CD92A512}

Hi,

ildasm and getnetguids show different MVIDs, e.g.:
ildasm /text "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETCore\v4.5\Microsoft.CSharp.dll" | find MVID
// MVID: {D998552A-3BF9-4639-B04B-4D163CD4C0BC}

python2 getnetguids.py "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETCore\v4.5\Microsoft.CSharp.dll"
None 2a5598d9-f93b-3946-b04b-4d163cd4c0bc 1142649c3394ac58d363ab2653a41291f670524bb11c858d1c6478d4cbbbee32

I tried it on Windows 7 Enterprise SP1 x64 with ActivePython 2.7.2.
ildasm was C:/Program Files (x86)/Microsoft SDKs/Windows/v8.0A/bin/NETFX 4.0 Tools/ildasm.exe

One of the two tools seems to have a bug ;-) or there is something mixed up. Can you please take a look, what could be going wrong?

Thanks,
Robert