Sample reported to have issue about getnetguids HOT 9 CLOSED

My dotnet branch of YARA is reporting a GUID of 2a36943f-7da0-43e2-923a-34ea03ba898d, just FYI. I suspect my code is correct.

from getnetguids.

I believe your code is correct as well.

from getnetguids.

I believe your assertion on Twitter was correct, this appears to be caused by the .NET resource "Internet", as it has the MVID that is reported (FD48D238-5112-4BB8-BF85-2DEC34557D6F). I'm exploring methods to resolve this.

from getnetguids.

I believe I have a solution to this, but it is still in testing.

In early (pre-Github) versions of GetNETGUIDs, strict PE parsing was used, but due to differences between the specification and actually functional CLR, I reverted to less strict matching.

In this fix, both are utilized, where the strict method is attempted first, then the less strict method is used if the first fails to recover the MVID at the least.

from getnetguids.

I'd love if you could elaborate on differences between the specification and in the wild samples? Even better if you can point me at a hash or two that were giving you problems. I'd love more "weird" cases to test my YARA branch with.

from getnetguids.

In your YARA branch, are you using one of the .NET methods mentioned here? https://www.virusbtn.com/virusbulletin/archive/2015/06/vb201506-NET-GUIDs Those are the best methods I know of, although loading assemblies in .NET can be dangerous.

Weird njRat sample: 664c599ccec5040c3ae4832c2e0458bb11b2eccd0e6a7eeafce0a49ccc07bec1

from getnetguids.

No. It is a YARA module which is a custom parser written in C. It doesn't "load" anything from the binary.

I'll try and take a look at the sample mentioned above tomorrow to make sure I get correct results. I also noticed in #2 that you mention a different sample. I'll take a look at that one too to make sure my code is correct. Thanks for pointing both of them out!

from getnetguids.

No problem. That's awesome that you are doing it in C. Is that code available on Github yet? I would be interested in seeing how you are handling the parsing.

from getnetguids.

Yeah, it's here: https://github.com/wxsbsd/yara/tree/dotnet. The actual code (if you are familiar with YARA modules) is here: https://github.com/wxsBSD/yara/blob/dotnet/libyara/modules/dotnet.c.

from getnetguids.