pan-unit42 / dotnetfile Goto Github PK

Rather than a path string, the DotNetPE class should allow pathlib path objects in addition to the path string.

PR coming right up.

This first screenshot is parsing a dotnet resource from a malicious file using YARA to find the offset and size and then dump that location.

The last cell shows the start of the ICO icon and then the PNG image data.

And here is a screenshot of dotnetfile parsing the same file.

There appears to still be some dotnet-looking header data between the start of the "data" and the ICO icon.

Is this header structure able to be parsed? The sample in question in both screenshots is:
40cd96e25835eeba956645398ed73a0f0e14563375530fa5f2db3bcf44dd88d7

Here's code for 'dotnetfile.py' to return the assembly name along with the version. Use as is or modify as need but please just add something like this. Thanks.

# Table 35
@metatable
class AssemblyRef:

    ....

    def get_assemblyref_names_with_versions(self, deduplicate: bool = False) -> Dict:
        """
        Get a list of referenced assembly names and their versions
        """
        result = {}

        for table_row in self.dotnetpe.metadata_tables_lookup['AssemblyRef'].table_rows:
            string_address = table_row.string_stream_references['Name']
            if string_address:
                assembly_name = self.dotnetpe.get_string(string_address)
                if deduplicate:
                    if assembly_name in result:
                        continue
                vs = Struct.AssemblyInfo(table_row.MajorVersion.value, table_row.MinorVersion.value, table_row.BuildNumber.value, table_row.RevisionNumber.value)
                result[assembly_name] = f'{vs.MajorVersion}.{vs.MinorVersion}.{vs.BuildNumber}.{vs.RevisionNumber}'

        return result

Hi,

I noticed the installation method here involves directly invoking setup.py which is a pretty antiquated way of managing Python libraries for users.

1. Is there any intent to upload this to PyPI for an easier pip install? (You should at least claim the name to prevent any supply chain attacks from someone who thinks python3 -m pip install dotnetfile is valid).

2. Pip supports Git URLs so a user can python3 -m pip install git+https://github.com/pan-unit42/dotnetfile. If the library isn't going to be distributed through PyPI, then this is an easier method to allow users to update and might save some users confusion when it comes to managing their dependencies across multiple Python versions.

The example for get_user_stream_strings() (https://pan-unit42.github.io/dotnetfile/api_documentation/general/#get-us-stream-strings) seems to have a typo in the example in line 8 "get_us_stream_strings()" ("us" instead of "user"):

us_stream_strings = dotnet_file.get_us_stream_strings()

Leading to the error:

AttributeError: 'DotNetPE' object has no attribute 'get_us_stream_strings'

It's correct slightly above at the definition.