Skip to content
/ BadDotnetPe Public

Build a dotnet pe to trigger this issue: [VirusTotal#1708]

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

dangodangodango/BadDotnetPe

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
image
image
 
 
HelloWorld_modified.dll
HelloWorld_modified.dll
 
 
HelloWorld_origin.dll
HelloWorld_origin.dll
 
 
dotnet.yar
dotnet.yar
 
 
readme.md
readme.md
 
 

Repository files navigation

Build a dotnet pe to trigger this issue VirusTotal#1708

Build a normal dotnet pe

HelloWorld_origin.dll

The size of pe should preferably be a multiple of pagesize, because we can only cause a maximum of 16 bytes out of bounds read.

Edit Pe file

  1. Write a metadata header at the end of file:

    image-20220521014408705

    The last 4 bytes is the Length, Length must <= 16 to trigger the issue, and of course it must also be a legal value:

    // yara/libyara/modules/dotnet:1652
if (md_len == 0 || md_len > 255 || md_len % 4 != 0 ||
    !fits_in_pe(pe, pe->data + offset, md_len))
{
  return false;
}

  2. Edit the last section header, make Virtual Size be the same as Raw Size, otherwise the metadata header at the end of file will not be considered as part of pe.

    image-20220521014520923

  3. Edit the MetaDataRVA to the RVA metadata header we write at the end of file

    image-20220521014707043

Scan the modified PE file

import "dotnet"

rule dotnet_version_rule
{
    condition:
        dotnet.version == "v4.0.30319"
}

image-20220521014831665

About

Build a dotnet pe to trigger this issue: [VirusTotal#1708]

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages