Open bartblaze opened 8 months ago
Describe the bug Using Yara to extract some .NET information from a binary, in this example, eb0746edea71e38e7b09c10994371999634fa09ec7662a5ba14105ad86f4ad19, it reports the following:
Typelib: 1EA4DBF0-3C3B-11CF-810C-00AA00389B71 # of GUIDs: 1 dotnet.guid: 0 -> guid = cd277104-27a2-4dea-8628-a9cc7d91df1b
However, using ILdasm or a custom tool (using the dnlib library), we get:
MVID: cd277104-27a2-4dea-8628-a9cc7d91df1b GUID: 1EA4DBF0-3C3B-11CF-810C-00AA00389B71 TYPELIB Version: 1.1
Suggestion: The 2nd GUID should be renamed as MVID to avoid confusion. I'll see if I can do a PR at some point.
To Reproduce You can review yourself by parsing the accessibility DLL from .NET: https://www.virustotal.com/gui/file/eb0746edea71e38e7b09c10994371999634fa09ec7662a5ba14105ad86f4ad19/details Note that VT does report the correct values.
Expected behavior Yara classifies GUID/Typelib and MVID accordingly.
Screenshots From ILSpy for the same DLL as above:
Please complete the following information:
Additional context N/A
Describe the bug Using Yara to extract some .NET information from a binary, in this example, eb0746edea71e38e7b09c10994371999634fa09ec7662a5ba14105ad86f4ad19, it reports the following:
However, using ILdasm or a custom tool (using the dnlib library), we get:
Suggestion: The 2nd GUID should be renamed as MVID to avoid confusion. I'll see if I can do a PR at some point.
To Reproduce You can review yourself by parsing the accessibility DLL from .NET: https://www.virustotal.com/gui/file/eb0746edea71e38e7b09c10994371999634fa09ec7662a5ba14105ad86f4ad19/details Note that VT does report the correct values.
Expected behavior Yara classifies GUID/Typelib and MVID accordingly.
Screenshots From ILSpy for the same DLL as above:
Please complete the following information:
Additional context N/A