Skip to content

Commit

Permalink
feat(modules): Update dotnet module
Browse files Browse the repository at this point in the history
  • Loading branch information
@MatejKastak
MatejKastak committed Jul 31, 2023
1 parent f1fff5d commit dfb16f2
Show file tree
Hide file tree
Showing 2 changed files with 247 additions and 3 deletions.
189 changes: 189 additions & 0 deletions modules/module_dotnet.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,195 @@
"documentation": "The number of GUIDs in the guids array.",
"type": "i"
},
{
"kind": "value",
"name": "number_of_classes",
"documentation": "The number of classes in the file.",
"type": "i"
},
{
"kind": "array",
"name": "classes",
"documentation": "A zero-based array of .NET classes stored in the metadata. Individual classes can be accessed using the [] operator.",
"structure":
{
"kind": "struct",
"name": "classes",
"documentation": "",
"attributes": [
{
"kind": "value",
"name": "fullname",
"documentation": "Class full name.",
"type": "s"
},
{
"kind": "value",
"name": "name",
"documentation": "Class name.",
"type": "s"
},
{
"kind": "value",
"name": "namespace",
"documentation": "Class namespace.",
"type": "s"
},
{
"kind": "value",
"name": "visibility",
"documentation": "Class visibility specifier, options are: private, public, protected, internal, private protected and protected internal",
"type" : "s"
},
{
"kind": "value",
"name": "type",
"documentation": "Type of the object, options are: class and interface",
"type" : "s"
},
{
"kind": "value",
"name": "abstract",
"documentation": "Boolean representing if class is abstract.",
"type": "i"
},
{
"kind": "value",
"name": "sealed",
"documentation": "Boolean representing if class is sealed.",
"type": "i"
},
{
"kind": "value",
"name": "number_of_generic_parameters",
"documentation": "Number of generic parameters.",
"type": "i"
},
{
"kind": "array",
"name": "generic_parameters",
"documentation": "A zero-based array of generic parameters name. Individual parameters can be accessed using the [] operator.",
"type": "s"
},
{
"kind": "value",
"name": "number_of_base_types",
"documentation": "Number of the base types.",
"type": "i"
},
{
"kind": "array",
"name": "base_types",
"documentation": "A zero-based array of base types name. Individual base types can be accessed using the [] operator.",
"type": "s"
},
{
"kind": "value",
"name": "number_of_methods",
"documentation": "Number of the methods.",
"type": "i"
},
{
"kind": "array",
"name": "methods",
"documentation": "A zero-based array of method objects. Individual methods can be accessed by using the [] operator.",
"structure":
{
"kind": "struct",
"name": "methods",
"documentation": "",
"attributes": [
{
"kind": "value",
"name": "name",
"documentation": "Method name.",
"type": "s"
},
{
"kind": "value",
"name": "visibility",
"documentation": "Method visibility specifier, options are: private, public, protected, internal, private protected and protected internal",
"type" : "s"
},
{
"kind": "value",
"name": "static",
"documentation": "Boolean representing if method is static.",
"type": "i"
},
{
"kind": "value",
"name": "virtual",
"documentation": "Boolean representing if method is virtual.",
"type": "i"
},
{
"kind": "value",
"name": "final",
"documentation": "Boolean representing if method is final.",
"type": "i"
},
{
"kind": "value",
"name": "abstract",
"documentation": "Boolean representing if method is abstract.",
"type": "i"
},
{
"kind": "value",
"name": "return_type",
"documentation": "Method return type name.",
"type": "s"
},
{
"kind": "value",
"name": "number_of_parameters",
"documentation": "Number of the method parameters.",
"type": "i"
},
{
"kind": "array",
"name": "parameters",
"documentation": "A zero-based array of method parameters. Individual parameters can be accessed by using the [] operator.",
"structure":
{
"kind": "struct",
"name": "parameters",
"documentation": "",
"attributes": [
{
"kind": "value",
"name": "name",
"documentation": "Parameter name.",
"type": "s"
},
{
"kind": "value",
"name": "type",
"documentation": "Parameter type.",
"type": "s"
}
]
}
},
{
"kind": "value",
"name": "number_of_generic_parameters",
"documentation": "Number of the method generic parameters.",
"type": "i"
},
{
"kind": "array",
"name": "generic_parameters",
"documentation": "A zero-based array of method generic parameters. Individual parameters can be accessed by using the [] operator.",
"type": "s"
}
]
}
}
]
}
},
{
"kind": "array",
"name": "resources",
Expand Down
61 changes: 58 additions & 3 deletions tests/cpp/parser_tests.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3631,18 +3631,73 @@ import "dotnet"
rule dotnet_module
{
condition:
dotnet.is_dotnet and
dotnet.version == "v2.0.50727" and
dotnet.module_name == "axs" and
dotnet.number_of_streams == 123 and
dotnet.streams[0].name == "#~" and
dotnet.streams[0].offset == 123 and
dotnet.streams[0].size == 123 and
dotnet.number_of_guids == 123 and
dotnet.guids[0] == "99c08ffd-f378-a891-10ab-c02fe11be6ef" and
dotnet.number_of_classes == 123 and
dotnet.classes[0].fullname == "Launcher.Program" and
dotnet.classes[0].name == "Launcher.Program" and
dotnet.classes[0].namespace == "test" and
dotnet.classes[0].visibility == "private" and
dotnet.classes[0].type == "class" and
dotnet.classes[0].abstract and
dotnet.classes[0].sealed and
dotnet.classes[0].number_of_generic_parameters == 123 and
dotnet.classes[0].generic_parameters[0] == "test" and
dotnet.classes[0].number_of_base_types == 123 and
dotnet.classes[0].base_types[0] == "test" and
dotnet.classes[0].number_of_methods == 123 and
dotnet.classes[0].methods[0].name == "test" and
dotnet.classes[0].methods[0].visibility == "public" and
dotnet.classes[0].methods[0].static and
dotnet.classes[0].methods[0].virtual and
dotnet.classes[0].methods[0].final and
dotnet.classes[0].methods[0].abstract and
dotnet.classes[0].methods[0].return_type == "test" and
dotnet.classes[0].methods[0].number_of_parameters == 123 and
dotnet.classes[0].methods[0].parameters[0].name == "test" and
dotnet.classes[0].methods[0].parameters[0].type == "test" and
dotnet.classes[0].methods[0].number_of_generic_parameters == 123 and
dotnet.classes[0].methods[0].generic_parameters[0] == "test" and
dotnet.number_of_resources == 123 and
dotnet.resources[0].offset == 0x4d5a and
dotnet.resources[0].length == 0x4d5a and
dotnet.resources[0].name == "test" and
dotnet.assembly.version.major == 7 and
dotnet.assembly.version.minor == 0 and
dotnet.assembly.version.build_number == 0 and
dotnet.assembly.version.revision_number == 0 and
dotnet.assembly.name == "Keylogger" and
dotnet.guids[0] == "99c08ffd-f378-a891-10ab-c02fe11be6ef"
dotnet.assembly.culture == "test" and
dotnet.number_of_modulerefs == 123 and
dotnet.modulerefs[0] == "kernel32" and
dotnet.typelib == "kernel32" and
dotnet.assembly_refs[0].version.major == 7 and
dotnet.assembly_refs[0].version.minor == 0 and
dotnet.assembly_refs[0].version.build_number == 0 and
dotnet.assembly_refs[0].version.revision_number == 0 and
dotnet.assembly_refs[0].name == "test" and
dotnet.assembly_refs[0].public_key_or_token == "test" and
dotnet.number_of_user_strings == 123 and
dotnet.user_strings[0] == "test" and
dotnet.number_of_field_offsets == 123 and
dotnet.field_offsets[0] == 8675309
}
)");

EXPECT_TRUE(driver.parse(input));
ASSERT_EQ(1u, driver.getParsedFile().getRules().size());

const auto& rule = driver.getParsedFile().getRules()[0];
EXPECT_EQ("dotnet.assembly.name == \"Keylogger\" and dotnet.guids[0] == \"99c08ffd-f378-a891-10ab-c02fe11be6ef\"", rule->getCondition()->getText());
EXPECT_EQ("dotnet.is_dotnet and dotnet.version == \"v2.0.50727\" and dotnet.module_name == \"axs\" and dotnet.number_of_streams == 123 and dotnet.streams[0].name == \"#~\" and dotnet.streams[0].offset == 123 and dotnet.streams[0].size == 123 and dotnet.number_of_guids == 123 and dotnet.guids[0] == \"99c08ffd-f378-a891-10ab-c02fe11be6ef\" and dotnet.number_of_classes == 123 and dotnet.classes[0].fullname == \"Launcher.Program\" and dotnet.classes[0].name == \"Launcher.Program\" and dotnet.classes[0].namespace == \"test\" and dotnet.classes[0].visibility == \"private\" and dotnet.classes[0].type == \"class\" and dotnet.classes[0].abstract and dotnet.classes[0].sealed and dotnet.classes[0].number_of_generic_parameters == 123 and dotnet.classes[0].generic_parameters[0] == \"test\" and dotnet.classes[0].number_of_base_types == 123 and dotnet.classes[0].base_types[0] == \"test\" and dotnet.classes[0].number_of_methods == 123 and dotnet.classes[0].methods[0].name == \"test\" and dotnet.classes[0].methods[0].visibility == \"public\" and dotnet.classes[0].methods[0].static and dotnet.classes[0].methods[0].virtual and dotnet.classes[0].methods[0].final and dotnet.classes[0].methods[0].abstract and dotnet.classes[0].methods[0].return_type == \"test\" and dotnet.classes[0].methods[0].number_of_parameters == 123 and dotnet.classes[0].methods[0].parameters[0].name == \"test\" and dotnet.classes[0].methods[0].parameters[0].type == \"test\" and dotnet.classes[0].methods[0].number_of_generic_parameters == 123 and dotnet.classes[0].methods[0].generic_parameters[0] == \"test\" and dotnet.number_of_resources == 123 and dotnet.resources[0].offset == 0x4d5a and dotnet.resources[0].length == 0x4d5a and dotnet.resources[0].name == \"test\" and dotnet.assembly.version.major == 7 and dotnet.assembly.version.minor == 0 and dotnet.assembly.version.build_number == 0 and dotnet.assembly.version.revision_number == 0 and dotnet.assembly.name == \"Keylogger\" and dotnet.assembly.culture == \"test\" and dotnet.number_of_modulerefs == 123 and dotnet.modulerefs[0] == \"kernel32\" and dotnet.typelib == \"kernel32\" and dotnet.assembly_refs[0].version.major == 7 and dotnet.assembly_refs[0].version.minor == 0 and dotnet.assembly_refs[0].version.build_number == 0 and dotnet.assembly_refs[0].version.revision_number == 0 and dotnet.assembly_refs[0].name == \"test\" and dotnet.assembly_refs[0].public_key_or_token == \"test\" and dotnet.number_of_user_strings == 123 and dotnet.user_strings[0] == \"test\" and dotnet.number_of_field_offsets == 123 and dotnet.field_offsets[0] == 8675309", rule->getCondition()->getText());
EXPECT_EQ("dotnet", rule->getCondition()->getFirstTokenIt()->getPureText());
EXPECT_EQ("99c08ffd-f378-a891-10ab-c02fe11be6ef", rule->getCondition()->getLastTokenIt()->getPureText());
EXPECT_EQ("8675309", rule->getCondition()->getLastTokenIt()->getPureText());

EXPECT_EQ(input_text, driver.getParsedFile().getTextFormatted());
}
Expand Down

0 comments on commit dfb16f2

Please sign in to comment.