[Misc Series #2] Explanation of pydotNetCLI

As promised in the previous blog, I will share my understanding on the dotNet header and how to parse it.

dotNet CLI header is found in .text section of the PE file. We only need to focused on this section to make things work ✌.

Thanks for the help of CFF Explorer and dnSpyto make this happen 🙌.

Calculate dotNet MetaData Directory Starting Offset

Basically this is the formula from RVA2OffSet.

  1. Check is VA of .text is larger or equal to VA of dotNet MetaData Directory
  2. Check is sum of VA and SizeOfRawAddress of .text is larger than VA of dotNet MetaData Directory.
  3. Calculate new offset by adding RawData offset of .text section to difference between dotNet MetaData Directory VA and .text VA

Let’s move on to dotNet Directory!

Some short notes 📜 before moving on:

byte  (size of 1)
word (size of 2)
dword (size of 4)
qword (size of 8)

dotNet Directory

It is quite easy to understand it as the structure is quite straight forward and the offset is exactly the real address.
Its information is ranged between 0x208 to 0x24F.

dotNet Directory Structure

dotNet directory structure (Black highlighted box)
cb                                      dword
MajorRuntimeVersion word
MinorRuntimeVersion word
MetaData RVA dword
MetaData Size dword
Flags dword
EntryPointToken dword
Resources RVA dword
Resources Size dword
StrongNameSignature RVA dword
StringNameSignature Size dword
CodeManagerTable RVA dword
CodeManagerTable Size dword
VTableFixups RVA dword
VTableFixups Size dword
ExportAddressTableJumps RVA dword
ExportAddressTableJumps Size dword
ManagedNativeHeader RVA dword
ManagedNativeHeader Size dword

MetaData/Stream Directory

To calculate the starting offset of MetaData Directory, we need to get the difference between .text RVA and VA (diff_va_rva in the screenshot above). This value will then used to deduct the MetaData RVA in the dotNet directory to get the its real offset.

Rewrite the function in Python

MetaData/Stream Directory Structure

MetaData Header/Streams

The length of MetaData Header ranged from the beginning of the Signature until end of MetaData Streams .

To get the Tables Count, we need to perform AND operation of the Mask Valid value with list of constant value which can be found in dict_mask_tablein set_MaskValid().

Tables Count indicates number of the table appear in the file. e.g. Module count = 0x01 means it only appears for one time, same goes for other.

Example of Standard Resources file in Resources section

The way to calculate its starting offset is similar to MetaData Directory just deduct the Resource RVA to diff_va_rva.

For parsing the resource file in more detailed manner, the following link https://ntcore.com/files/manifestres.htm provided a write-up for that.
This can be found in set_ptr_resource_data_offset() .

Standard Resources File Structure

Standard structure of resource data

Extraction of multiple files in single resource section is not support now. e.g.

Resource contains multiple files, 11 files
Number of Resources, 0xB == 11

However, sometime we did encountered some resource file which is just some random blob that did not comply with the structure of the dotNet resource. For example, a PE file.

Random data in resource section

Please correct me if there is any misinformation.

Hopefully it helps any dotNet malware researcher 😁!

Sample MD5:

98fd49a293efbf30152257f76b843672

References:

--

--

--

Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

3 Important Questions To Ask A PhoneGap App Development Company

Translation and Types

Configuring Jira for your needs

Cloud Server Management Miniconf updates, Open house on applications of OR & DS in e-commerce…

Importing spatial data to PostGIS

The secret of deploying GPT-3 app

Using Greenplum to access Minio

Cherubs DAO — Project Update — Jan 2022

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
GhouLSec

GhouLSec

Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec

More from Medium

Validating Syntax for Bash Scripts with ShellCheck

Splunk: Sort Command

Connecting VM and Host Machine to two different Networks !

Emulate USB Mass Storage Device in Ubuntu 18.04 — Dummy’s Guide