Comments (9)
My dotnet branch of YARA is reporting a GUID of 2a36943f-7da0-43e2-923a-34ea03ba898d, just FYI. I suspect my code is correct.
from getnetguids.
I believe your code is correct as well.
from getnetguids.
I believe your assertion on Twitter was correct, this appears to be caused by the .NET resource "Internet", as it has the MVID that is reported (FD48D238-5112-4BB8-BF85-2DEC34557D6F). I'm exploring methods to resolve this.
from getnetguids.
I believe I have a solution to this, but it is still in testing.
In early (pre-Github) versions of GetNETGUIDs, strict PE parsing was used, but due to differences between the specification and actually functional CLR, I reverted to less strict matching.
In this fix, both are utilized, where the strict method is attempted first, then the less strict method is used if the first fails to recover the MVID at the least.
from getnetguids.
I'd love if you could elaborate on differences between the specification and in the wild samples? Even better if you can point me at a hash or two that were giving you problems. I'd love more "weird" cases to test my YARA branch with.
from getnetguids.
In your YARA branch, are you using one of the .NET methods mentioned here? https://www.virusbtn.com/virusbulletin/archive/2015/06/vb201506-NET-GUIDs Those are the best methods I know of, although loading assemblies in .NET can be dangerous.
Weird njRat sample: 664c599ccec5040c3ae4832c2e0458bb11b2eccd0e6a7eeafce0a49ccc07bec1
from getnetguids.
No. It is a YARA module which is a custom parser written in C. It doesn't "load" anything from the binary.
I'll try and take a look at the sample mentioned above tomorrow to make sure I get correct results. I also noticed in #2 that you mention a different sample. I'll take a look at that one too to make sure my code is correct. Thanks for pointing both of them out!
from getnetguids.
No problem. That's awesome that you are doing it in C. Is that code available on Github yet? I would be interested in seeing how you are handling the parsing.
from getnetguids.
Yeah, it's here: https://github.com/wxsbsd/yara/tree/dotnet. The actual code (if you are familiar with YARA modules) is here: https://github.com/wxsBSD/yara/blob/dotnet/libyara/modules/dotnet.c.
from getnetguids.
Related Issues (5)
- MVIDs reported by ildasm and getnetguids differ HOT 2
- Results for 0a9258eae701157b8b9f4086eeb98e407e8d59c02fb464cc67652c4f1edd9d94 appear to be invalid
- 664c599ccec5040c3ae4832c2e0458bb11b2eccd0e6a7eeafce0a49ccc07bec1 monodis mismatch
- Inconsistency on file with hash d75d526893b503ab81c6298bab91083a7a9da35adce0709433c10e925592d0c6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from getnetguids.