Instagram Linkedin Twitter Youtube
Search
  • Home
  • Pentesting Tools
  • Vulnerability Analysis
  • Information Gathering
  • Web Application Security
  • Forensics
  • Malware
  • OSINT
Instagram Linkedin Twitter Youtube
Kali Linux Tutorials Kali Linux Tutorials
Advertisement
Kali Linux Tutorials Kali Linux Tutorials
Home Cyber security DotNet-MetaData : A Deep Dive Into .NET Malware Analysis
  • Cyber security

DotNet-MetaData : A Deep Dive Into .NET Malware Analysis

By
Varshini
-
March 27, 2024
DotNet-MetaData : A Deep Dive Into .NET Malware Analysis

“DotNet-MetaData: A Deep Dive into .NET Malware Analysis” unveils the advanced techniques for analyzing and classifying .NET-based malware.

With a focus on practical tools like Yara rules and Python scripts, this guide provides cybersecurity professionals with the means to extract crucial metadata from .NET binaries, enhancing their malware hunting and classification capabilities.

Explore how to leverage these tools for detailed insights into the inner workings of malware samples.

DotNetMetadata.yar

Yara rule to display binary information to the console. Example use:

yara64.exe DotNetMetadata.yar c:\fakepath\all_samples

The Yara rule requires at least Yara 4.2.0, that said, it’s always recommended to get the latest release.

DotNetMetadata.py

Python script to extract the GUID, MVID, TYPELIB, and Assembly Name of .NET binaries. Example use:

python DotNetMetadata.py c:\fakepath\all_samples -c samples_output.csv

The Python script requires pythonnet to be installed (pip install pythonnet) and expects dnlib.dll to be in the same directory.

Get and compile dnlib from or download dnSpy-netframework.zip from. The script should work correctly from dnlib version 3.3.2.0 up to and including 4.4.0.0.

Sample Rules

This folder contains sample rules described in the blog post. Do tweak and update according to your needs.

Example Output

Example output for a single file “Mpyiuepnw”, a version of PureLogStealer with SHA256 hash: c201449a0845d659c32cc48f998b8cc95c20153bb1974e3a1ba80c53a90f1b27

Using The Yara Rule:

$ yara64.exe DotNetMetadata.yar c:\fakepath\Mpyiuepnw.vir
Original Filename: Mpyiuepnw.exe
Internal Name: Mpyiuepnw.exe
Imphash (use with caution): f34d5f2d4577ed6d9ceec516c1f5a744
Compile timestamp (epoch): 1710224522
Module name: Mpyiuepnw.exe
Assembly name: Mpyiuepnw
Typelib: 856e9a70-148f-4705-9549-d69a57e669b0
# of GUIDs: 1
dotnet.guid: 0
 -> guid (MVID) = 9066ee39-87f9-4468-9d70-b57c25f29a67
# of streams: 5
# of resources is: 9
dotnet.resource: 0
 -> name = Rdfeunq.Properties.Resources.resources
 -> offset = 715528
 -> length = 2818774
dotnet.resource: 1
 -> name = Mpyiuepnw.Attributes.WrapperManager.resources
 -> offset = 3534306
 -> length = 180
dotnet.resource: 2
 -> name = Mpyiuepnw.Collections.ImporterHelperCollection.resources
 -> offset = 3534490
 -> length = 180
dotnet.resource: 3
 -> name = Mpyiuepnw.Roles.ConfigOrderRole.resources
 -> offset = 3534674
 -> length = 2932
dotnet.resource: 4
 -> name = Mpyiuepnw.Roles.CodeManager.resources
 -> offset = 3537610
 -> length = 2933
dotnet.resource: 5
 -> name = NAudio.Pages.TemplateAuthenticationPage.resources
 -> offset = 3540547
 -> length = 180
dotnet.resource: 6
 -> name = Mpyiuepnw.Roles.SchemaManager.resources
 -> offset = 3540731
 -> length = 2936
dotnet.resource: 7
 -> name = Mpyiuepnw.Polices.SingletonSingleton.resources
 -> offset = 3543671
 -> length = 180
dotnet.resource: 8
 -> name = NAudio.Common.PrototypeSingleton.resources
 -> offset = 3543855
 -> length = 180
# of module references: 7
# of strings: 710

Using The Python Script:

Single File

$ python DotNetMetadata.py c:\fakepath\Mpyiuepnw.vir
File: c:\fakepath\Mpyiuepnw.vir
  Assembly Name: Mpyiuepnw
  MVID: 9066ee39-87f9-4468-9d70-b57c25f29a67
  GUID: 856e9a70-148f-4705-9549-d69a57e669b0

For more information click here.

Related

  • TAGS
  • cybersecurity
  • DotNet-MetaData
  • informationsecurity
  • kalilinux
  • kalilinuxtools
Facebook
Twitter
Pinterest
WhatsApp
    Previous articleBlueSpy – PoC To Record Audio From A Bluetooth Device
    Next articleAll About Bug Bounty – A Detailed Resource On Vulnerabilities, Bypass Techniques, And Security Research
    Varshini
    Varshini
    http://kalilinuxtutorials.com
    Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.
    Linkedin

    RELATED ARTICLESMORE FROM AUTHOR

    log analysis fundamentals
    Cyber security

    Log Analysis Fundamentals

    what is siem?
    Cyber security

    What is SIEM? Complete Guide to Security Information and Event Management

    How Does a Firewall Work Step by Step? What Is a Firewall and How Does It Function?
    Cyber security

    How Does a Firewall Work Step by Step

    MCP

    Understanding the Model Context Protocol (MCP) and How It Works

    0xSnow - October 1, 2025 0
    Introduction to the Model Context Protocol (MCP) The Model Context Protocol (MCP) is an open standard that enables AI applications, such as large language models,...
    file command

     The file Command – Quickly Identify File Contents in Linux

    0xSnow - October 1, 2025 0
    While file extensions in Linux are optional and often misleading, the file command helps decode what a file truly is. This powerful utility analyzes the actual...
    touch command

    How to Use the touch Command in Linux

    0xSnow - October 1, 2025 0
    The touch command is one of the quickest ways to create new empty files or update timestamps for existing files in Linux. It’s widely used by...
    find command

    How to Search Files and Folders in Linux Using the find Command

    0xSnow - October 1, 2025 0
    Handling large numbers of files is routine for Linux users, and that’s where the find command shines. It’s a dynamic tool that helps you search for...
    mv command

    How to Move and Rename Files in Linux with the mv Command

    0xSnow - October 1, 2025 0
    Managing files and directories is foundational for Linux workflows, and the mv (“move”) command makes it easy to relocate or rename items without hassle. Whether organizing...
    KALI LINUX TUTORIALS
    Contact us: admin@kalilinuxtutorials.com
    Instagram Linkedin Twitter Youtube

    EVEN MORE NEWS

    MCP

    Understanding the Model Context Protocol (MCP) and How It Works

    October 1, 2025
    file command

     The file Command – Quickly Identify File Contents in Linux

    October 1, 2025
    touch command

    How to Use the touch Command in Linux

    October 1, 2025

    POPULAR CATEGORY

    • Kali Linux2943
    • Cyber security912
    • Hacking Tools300
    • Pentesting Tools197
    • Exploitation Tools144
    • TECH135
    • Vulnerability Analysis116
    • Privacy Policy
    • About
    • Contact US
    © Kalilinuxtutorials.com 2025
    MORE STORIES

    Social Media OSINT Tools – A Comprehensive Guide

    May 16, 2024

    CatSniffer – The Ultimate Multiprotocol IoT Attack Tool in USB Form

    September 8, 2023

    CVE-2024-55591 : Fortinet FortiOS Authentication Bypass Vulnerability

    January 31, 2025