Hey guys! Just released a tool named ✨ pydotNetCLI ✨ that make my life easier when extract the resource file from dotNet malware samples as we know dotNet resource file stored inside dotNet CLI header which is not from the .rsrc section of the PE file. In this initial version, I will just focusing on the resource extraction and hopefully will add more header information or functions if time allows.
The initial intention of this tool just to improve my understanding on the dotNet CLI header structure, but it ends up as a resource extractor 🤣.
Will make a explanation on how I parse it in the next blog post!
Normally in order to disable some windows related service (e.g. Windows Defender, or certain registry key or files) always required higher/another level of privilege to do it. For example, SolarWinds escalated its privilege to disable windows defender service by abusing privileges constant such asSeDebugPrivilege. Therefore, in this story, it…