Skip to content

Commit

Permalink
Merge execute-dotnet-assembly-via-clr-host.yml with load-windows-comm…
Browse files Browse the repository at this point in the history
…on-language-runtime.yml and promote load-windows-common-language-runtime.yml (#797)
  • Loading branch information
jtothej authored Oct 9, 2023
1 parent 2618048 commit 23cfa23
Show file tree
Hide file tree
Showing 3 changed files with 46 additions and 43 deletions.
28 changes: 0 additions & 28 deletions load-code/dotnet/execute-dotnet-assembly-via-clr-host.yml

This file was deleted.

46 changes: 46 additions & 0 deletions load-code/dotnet/load-windows-common-language-runtime.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
# generated using capa explorer for IDA Pro
rule:
meta:
name: load Windows Common Language Runtime
namespace: load-code/dotnet
authors:
- michael.hunhoff@mandiant.com
- blas.kojusner@mandiant.com
- jakub.jozwiak@mandiant.com
scope: function
references:
- https://modexp.wordpress.com/2019/05/10/dotnet-loader-shellcode/
- https://github.com/TheWover/donut/blob/master/loader/inmem_dotnet.c
examples:
- 6CD1315F6F2FA4F8EE2B98BB3CA0A994:0x140001030
features:
- or:
- and:
- description: .NET Framework versions 2.0, 3.0, 3.5
- or:
- api: mscoree.CorBindToRuntime
- api: mscoree.CorBindToRuntimeEx
- api: mscoree.CorBindToRuntimeHost
- api: mscoree.CorBindToRuntimeByCfg
- api: mscoree.CorBindToCurrentRuntime
- api: ole32.CoCreateInstance
- and:
- or:
- string: "CorBindToRuntime"
- string: "CorBindToRuntimeEx"
- string: "CorBindToRuntimeHost"
- string: "CorBindToRuntimeByCfg"
- string: "CorBindToCurrentRuntime"
- string: "CoCreateInstance"
- match: link function at runtime on Windows
- bytes: 23 67 2F CB 3A AB D2 11 9C 40 00 C0 4F A3 0A 3E = CLSID_CorRuntimeHost
- bytes: 22 67 2F CB 3A AB D2 11 9C 40 00 C0 4F A3 0A 3E = IID_ICorRuntimeHost
- and:
- description: .NET Framework version 4.x
- or:
- api: mscoree.CLRCreateInstance
- and:
- string: "CLRCreateInstance"
- match: link function at runtime on Windows
- bytes: 8D 18 80 92 8E 0E 67 48 B3 0C 7F A8 38 84 E8 DE = CLSID_CLRMetaHost
- bytes: 9E DB 32 D3 B3 B9 25 41 82 07 A1 48 84 F5 32 16 = IID_ICLRMetaHost
15 changes: 0 additions & 15 deletions nursery/load-windows-common-language-runtime.yml

This file was deleted.

0 comments on commit 23cfa23

Please sign in to comment.