Cyber security

DotNet-MetaData : A Deep Dive Into .NET Malware Analysis

“DotNet-MetaData: A Deep Dive into .NET Malware Analysis” unveils the advanced techniques for analyzing and classifying .NET-based malware.

With a focus on practical tools like Yara rules and Python scripts, this guide provides cybersecurity professionals with the means to extract crucial metadata from .NET binaries, enhancing their malware hunting and classification capabilities.

Explore how to leverage these tools for detailed insights into the inner workings of malware samples.

DotNetMetadata.yar

Yara rule to display binary information to the console. Example use:

yara64.exe DotNetMetadata.yar c:\fakepath\all_samples

The Yara rule requires at least Yara 4.2.0, that said, it’s always recommended to get the latest release.

DotNetMetadata.py

Python script to extract the GUID, MVID, TYPELIB, and Assembly Name of .NET binaries. Example use:

python DotNetMetadata.py c:\fakepath\all_samples -c samples_output.csv

The Python script requires pythonnet to be installed (pip install pythonnet) and expects dnlib.dll to be in the same directory.

Get and compile dnlib from or download dnSpy-netframework.zip from. The script should work correctly from dnlib version 3.3.2.0 up to and including 4.4.0.0.

Sample Rules

This folder contains sample rules described in the blog post. Do tweak and update according to your needs.

Example Output

Example output for a single file “Mpyiuepnw”, a version of PureLogStealer with SHA256 hash: c201449a0845d659c32cc48f998b8cc95c20153bb1974e3a1ba80c53a90f1b27

Using The Yara Rule:

$ yara64.exe DotNetMetadata.yar c:\fakepath\Mpyiuepnw.vir
Original Filename: Mpyiuepnw.exe
Internal Name: Mpyiuepnw.exe
Imphash (use with caution): f34d5f2d4577ed6d9ceec516c1f5a744
Compile timestamp (epoch): 1710224522
Module name: Mpyiuepnw.exe
Assembly name: Mpyiuepnw
Typelib: 856e9a70-148f-4705-9549-d69a57e669b0
# of GUIDs: 1
dotnet.guid: 0
 -> guid (MVID) = 9066ee39-87f9-4468-9d70-b57c25f29a67
# of streams: 5
# of resources is: 9
dotnet.resource: 0
 -> name = Rdfeunq.Properties.Resources.resources
 -> offset = 715528
 -> length = 2818774
dotnet.resource: 1
 -> name = Mpyiuepnw.Attributes.WrapperManager.resources
 -> offset = 3534306
 -> length = 180
dotnet.resource: 2
 -> name = Mpyiuepnw.Collections.ImporterHelperCollection.resources
 -> offset = 3534490
 -> length = 180
dotnet.resource: 3
 -> name = Mpyiuepnw.Roles.ConfigOrderRole.resources
 -> offset = 3534674
 -> length = 2932
dotnet.resource: 4
 -> name = Mpyiuepnw.Roles.CodeManager.resources
 -> offset = 3537610
 -> length = 2933
dotnet.resource: 5
 -> name = NAudio.Pages.TemplateAuthenticationPage.resources
 -> offset = 3540547
 -> length = 180
dotnet.resource: 6
 -> name = Mpyiuepnw.Roles.SchemaManager.resources
 -> offset = 3540731
 -> length = 2936
dotnet.resource: 7
 -> name = Mpyiuepnw.Polices.SingletonSingleton.resources
 -> offset = 3543671
 -> length = 180
dotnet.resource: 8
 -> name = NAudio.Common.PrototypeSingleton.resources
 -> offset = 3543855
 -> length = 180
# of module references: 7
# of strings: 710

Using The Python Script:

Single File

$ python DotNetMetadata.py c:\fakepath\Mpyiuepnw.vir
File: c:\fakepath\Mpyiuepnw.vir
  Assembly Name: Mpyiuepnw
  MVID: 9066ee39-87f9-4468-9d70-b57c25f29a67
  GUID: 856e9a70-148f-4705-9549-d69a57e669b0

For more information click here.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

JBDev : A Tool For Jailbreak And TrollStore Development

JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…

56 minutes ago

Kereva LLM Code Scanner : A Revolutionary Tool For Python Applications Using LLMs

The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…

3 hours ago

Nuclei-Templates-Labs : A Hands-On Security Testing Playground

Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…

5 hours ago

SSH-Stealer : The Stealthy Threat Of Advanced Credential Theft

SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…

5 hours ago

ollvm-unflattener : A Tool For Reversing Control Flow Flattening In OLLVM

Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…

5 hours ago

Cybersecurity – Tools And Their Function

Cybersecurity tools play a critical role in safeguarding digital assets, systems, and networks from malicious…

1 day ago