[Misc Series #2] Explanation of pydotNetCLI
As promised in the previous blog, I will share my understanding on the dotNet header and how to parse it.
dotNet CLI header is found in
.text section of the PE file. We only need to focused on this section to make things work ✌.
Calculate dotNet MetaData Directory Starting Offset
Basically this is the formula from RVA2OffSet.
- Check is VA of
.textis larger or equal to VA of
dotNet MetaData Directory
- Check is sum of VA and SizeOfRawAddress of
.textis larger than VA of
dotNet MetaData Directory.
- Calculate new offset by adding RawData offset of
.textsection to difference between
dotNet MetaData DirectoryVA and
Let’s move on to dotNet Directory!
Some short notes 📜 before moving on:
byte (size of 1)
word (size of 2)
dword (size of 4)
qword (size of 8)
It is quite easy to understand it as the structure is quite straight forward and the offset is exactly the real address.
Its information is ranged between 0x208 to 0x24F.
dotNet Directory Structure
MetaData RVA dword
MetaData Size dword
Resources RVA dword
Resources Size dword
StrongNameSignature RVA dword
StringNameSignature Size dword
CodeManagerTable RVA dword
CodeManagerTable Size dword
VTableFixups RVA dword
VTableFixups Size dword
ExportAddressTableJumps RVA dword
ExportAddressTableJumps Size dword
ManagedNativeHeader RVA dword
ManagedNativeHeader Size dword
To calculate the starting offset of MetaData Directory, we need to get the difference between
.text RVA and VA (
diff_va_rva in the screenshot above). This value will then used to deduct the
MetaData RVA in the
dotNet directory to get the its real offset.
MetaData/Stream Directory Structure
length of MetaData Header ranged from the beginning of the
Signature until end of
MetaData Streams .
To get the
Tables Count, we need to perform
AND operation of the
Mask Valid value with list of constant value which can be found in
Tables Count indicates number of the table appear in the file. e.g.
Module count = 0x01 means it only appears for one time, same goes for other.
Example of Standard Resources file in Resources section
The way to calculate its starting offset is similar to MetaData Directory just deduct the
Resource RVA to
For parsing the resource file in more detailed manner, the following link https://ntcore.com/files/manifestres.htm provided a write-up for that.
This can be found in
Standard Resources File Structure
Extraction of multiple files in single resource section is not support now. e.g.
However, sometime we did encountered some resource file which is just some random blob that did not comply with the structure of the dotNet resource. For example, a PE file.
Please correct me if there is any misinformation.
Hopefully it helps any dotNet malware researcher 😁!
dnSpy is a debugger and .NET assembly editor. You can use it to edit and debug assemblies even if you don't have any…
Download the Explorer Suite Current Version: III (18/11/2012) Small announcement: If you or your organization needs…
The .NET File Format
The standards of the .NET format are public, you can find them on Microsoft and in your .NET SDK (look after "…
.NET Manifest Resources
NET Manifest Resources Download demo project - 30 Kb This article is about the internal format of .NET Manifest…