-
Notifications
You must be signed in to change notification settings - Fork 159
/
load-windows-common-language-runtime.yml
48 lines (48 loc) · 1.83 KB
/
load-windows-common-language-runtime.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
# generated using capa explorer for IDA Pro
rule:
meta:
name: load Windows Common Language Runtime
namespace: load-code/dotnet
authors:
- michael.hunhoff@mandiant.com
- blas.kojusner@mandiant.com
- jakub.jozwiak@mandiant.com
scopes:
static: function
dynamic: unsupported
references:
- https://modexp.wordpress.com/2019/05/10/dotnet-loader-shellcode/
- https://github.com/TheWover/donut/blob/master/loader/inmem_dotnet.c
examples:
- 6CD1315F6F2FA4F8EE2B98BB3CA0A994:0x140001030
features:
- or:
- and:
- description: .NET Framework versions 2.0, 3.0, 3.5
- or:
- api: mscoree.CorBindToRuntime
- api: mscoree.CorBindToRuntimeEx
- api: mscoree.CorBindToRuntimeHost
- api: mscoree.CorBindToRuntimeByCfg
- api: mscoree.CorBindToCurrentRuntime
- api: ole32.CoCreateInstance
- and:
- or:
- string: "CorBindToRuntime"
- string: "CorBindToRuntimeEx"
- string: "CorBindToRuntimeHost"
- string: "CorBindToRuntimeByCfg"
- string: "CorBindToCurrentRuntime"
- string: "CoCreateInstance"
- match: link function at runtime on Windows
- bytes: 23 67 2F CB 3A AB D2 11 9C 40 00 C0 4F A3 0A 3E = CLSID_CorRuntimeHost
- bytes: 22 67 2F CB 3A AB D2 11 9C 40 00 C0 4F A3 0A 3E = IID_ICorRuntimeHost
- and:
- description: .NET Framework version 4.x
- or:
- api: mscoree.CLRCreateInstance
- and:
- string: "CLRCreateInstance"
- match: link function at runtime on Windows
- bytes: 8D 18 80 92 8E 0E 67 48 B3 0C 7F A8 38 84 E8 DE = CLSID_CLRMetaHost
- bytes: 9E DB 32 D3 B3 B9 25 41 82 07 A1 48 84 F5 32 16 = IID_ICLRMetaHost