[Forensics-changes] [yara] 10/192: Add dotnet docs. (#497)
Hilko Bengen
bengen at moszumanska.debian.org
Sat Jul 1 10:31:41 UTC 2017
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to annotated tag v3.6.0
in repository yara.
commit a905b93f5f4884f88c6ac7151e0ba1b2e8efe47b
Author: Wesley Shields <wxs at atarininja.org>
Date: Wed Aug 17 17:16:18 2016 -0400
Add dotnet docs. (#497)
---
docs/modules.rst | 1 +
docs/modules/dotnet.rst | 143 ++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 144 insertions(+)
diff --git a/docs/modules.rst b/docs/modules.rst
index 9259db8..4113c89 100644
--- a/docs/modules.rst
+++ b/docs/modules.rst
@@ -18,6 +18,7 @@ the :ref:`writing-modules` section.
Magic <modules/magic>
Hash <modules/hash>
Math <modules/math>
+ Dotnet <modules/dotnet>
diff --git a/docs/modules/dotnet.rst b/docs/modules/dotnet.rst
new file mode 100644
index 0000000..d66b858
--- /dev/null
+++ b/docs/modules/dotnet.rst
@@ -0,0 +1,143 @@
+
+.. _dotnet-module:
+
+#########
+dotnet module
+#########
+
+The dotnet module allows you to create more fine-grained rules for .NET files by
+using attributes and features of the .NET file format. Let's see some examples::
+
+ import "dotnet"
+
+ rule not_exactly_five_streams
+ {
+ condition:
+ dotnet.number_of_streams != 5
+ }
+
+ rule blop_stream
+ {
+ condition:
+ for any i in (0..dotnet.number_of_streams - 1):
+ (dotnet.streams[i].name == "#Blop")
+ }
+
+Reference
+---------
+
+.. c:type:: version
+
+ .. versionchanged:: 3.6.0
+
+ The version string contained in the metadata root.
+
+ *Example: dotnet.version == "v2.0.50727"*
+
+.. c:type:: module_name
+
+ The name of the module.
+
+ *Example: dotnet.module_name == "axs"*
+
+.. c:type:: number_of_streams
+
+ The number of streams in the file.
+
+.. c:type:: streams
+
+ An zero-based array of steram objects, one for each stream contained in the
+ file. Individual streams can be accessed by using the [] operator. Each
+ stream object has the following attributes:
+
+ .. c:member:: name
+
+ Stream name.
+
+ .. c:member:: offset
+
+ Stream offset.
+
+ .. c:member:: size
+
+ Stream size.
+
+ *Example: pe.streams[0].name == "#~"*
+
+.. c:type:: number_of_guids
+
+ The number of GUIDs in the guids array.
+
+.. c:type:: guids
+
+ An zero-based array of strings, one for each GUID. Individual guids can be
+ accessed by using the [] operator.
+
+ *Example: pe.guids[0].name == "99c08ffd-f378-a891-10ab-c02fe11be6ef"*
+
+.. c:type:: number_of_resources
+
+ The number of resources in the .NET file. These are different from normal PE
+ resources.
+
+.. c:type:: resources
+
+ An zero-based array of resource objects, one for each resource the PE has.
+ Individual resources can be accessed by using the [] operator. Each
+ resource object has the following attributes:
+
+ .. c:member:: offset
+
+ Offset for the resource data.
+
+ .. c:member:: length
+
+ Length of the resource data.
+
+ .. c:member:: name
+
+ Name of the resource (string).
+
+ *Example: uint16be(dotnet.resources[0].offset) == 0x4d5a*
+
+.. c:type:: assembly
+
+ Object for .NET assembly information.
+
+ .. c:member:: version
+
+ An object with integer values representing version information for this
+ assembly. Attributes are:
+
+ ``major``
+ ``minor``
+ ``build_number``
+ ``revision_number``
+
+ .. c:member:: name
+
+ String containing the assembly name.
+
+ .. c:member:: culture
+
+ String containing the culture (language/country/region) for this
+ assembly.
+
+ *Example: dotnet.assembly.name == "Keylogger"*
+
+ *Example: dotnet.assembly.version.major == 7 and dotnet.assembly.version.minor == 0*
+
+.. c:type:: number_of_modulerefs
+
+ The number of module references in the .NET file.
+
+.. c:type:: resources
+
+ An zero-based array of strings, one for each module reference the PE has.
+ Individual module references can be accessed by using the [] operator.
+
+ *Example: dotnet.modulerefs[0] == "kernel32"*
+
+.. c:type:: typelib
+
+ The typelib of the file.
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list