GitHub - dangodangodango/BadDotnetPe: Build a dotnet pe to trigger this issue: [VirusTotal#1708]

Build a dotnet pe to trigger this issue VirusTotal#1708

Build a normal dotnet pe

HelloWorld_origin.dll

The size of pe should preferably be a multiple of pagesize, because we can only cause a maximum of 16 bytes out of bounds read.

Edit Pe file

Write a metadata header at the end of file:

The last 4 bytes is the Length, Length must <= 16 to trigger the issue, and of course it must also be a legal value:

// yara/libyara/modules/dotnet:1652
if (md_len == 0 || md_len > 255 || md_len % 4 != 0 ||
    !fits_in_pe(pe, pe->data + offset, md_len))
{
  return false;
}

Edit the last section header, make Virtual Size be the same as Raw Size, otherwise the metadata header at the end of file will not be considered as part of pe.
Edit the MetaDataRVA to the RVA metadata header we write at the end of file

Scan the modified PE file

import "dotnet"

rule dotnet_version_rule
{
    condition:
        dotnet.version == "v4.0.30319"
}

Name		Name	Last commit message	Last commit date
Latest commit History 1 Commit
image		image
HelloWorld_modified.dll		HelloWorld_modified.dll
HelloWorld_origin.dll		HelloWorld_origin.dll
dotnet.yar		dotnet.yar
readme.md		readme.md

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Repository files navigation

Build a normal dotnet pe

Edit Pe file

Scan the modified PE file

About

Uh oh!

Releases

Packages

Languages

dangodangodango/BadDotnetPe

Folders and files

Latest commit

History

Repository files navigation

Build a normal dotnet pe

Edit Pe file

Scan the modified PE file

About

Resources

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages