dotnet: handling differences between .NET decompilation and ground truth CIL

[mike-hunhoff]

capa analyzes .NET files at the CIL level to extract capabilities. Unfortunately, this may differ from the decompilation generated by tools like dnSpy. Let's use this issue to track specific instances where the decompilation has differed greatly from the underlying CIL instructions.

[mike-hunhoff]

Delegate defined within method is compiled to two separate methods (two entries in the MethodDef table). capa looks at the MethodDef table and treats parent and delegate as separate methods, emitting capabilities for both. In dnSpy, if a user tries to navigate to the delegate's decompilation using its token value (provided by capa) dnSpy refuses. This appears to be a result of the decompilation combining these methods into one. If you switch to IL view you can navigate to delegate's CIL disassembly using its token value.