dotnet module

import "dotnet"

rule not_exactly_five_streams
{
    condition:
        dotnet.number_of_streams != 5
}

rule blop_stream
{
    condition:
        for any i in (0..dotnet.number_of_streams - 1):
            (dotnet.streams[i].name == "#Blop")
}

The version string contained in the metadata root.

*Example: dotnet.version == "v2.0.50727"*

The name of the module.

*Example: dotnet.module_name == "axs"*

The number of streams in the file.

A zero-based array of stream objects, one for each stream contained in the
file. Individual streams can be accessed by using the [] operator. Each
stream object has the following attributes:

.. c:member:: name

    Stream name.

.. c:member:: offset

    Stream offset.

.. c:member:: size

    Stream size.

*Example: dotnet.streams[0].name == "#~"*

The number of GUIDs in the guids array.

A zero-based array of strings, one for each GUID. Individual guids can be
accessed by using the [] operator.

*Example: dotnet.guids[0] == "99c08ffd-f378-a891-10ab-c02fe11be6ef"*

.. c:member:: fullname
    Class full name.

.. c:member:: name
    Class name.

.. c:member:: namespace
    Class namespace.

.. c:member:: visibility
    Class visibility specifier, options are:

    ``private``
    ``public``
    ``protected``
    ``internal``
    ``private protected``
    ``protected internal``

.. c:member:: type
    Type of the object, options are:

    ``class``
    ``interface``

.. c:member:: abstract
    Boolean representing if class is abstract.

.. c:member:: sealed
    Boolean representing if class is sealed.

.. c:member:: number_of_generic_parameters
    Number of generic parameters.

.. c:member:: generic_parameters
    A zero-based array of generic parameters name. Individual parameters can be accessed using the [] operator.

.. c:member:: number_of_base_types
    Number of the base types.

.. c:member:: base_types
    A zero-based array of base types name. Individual base types can be accessed using the [] operator.

.. c:member:: number_of_methods
    Number of the methods.

.. c:member:: methods
    A zero-based array of method objects. Individual methods can be accessed by
    using the [] operator. Each object contains following attributes:

    .. c:member:: name
        Method name.

    .. c:member:: visibility
        Method visibility specifier, options are:

        ``private``
        ``public``
        ``protected``
        ``internal``
        ``private protected``
        ``protected internal``

    .. c:member:: static
        Boolean representing if method is static.

    .. c:member:: virtual
        Boolean representing if method is virtual. 

    .. c:member:: final
        Boolean representing if method is final. 

    .. c:member:: abstract
        Boolean representing if method is abstract. 

    .. c:member:: return_type
        Method return type name.

    .. c:member:: number_of_parameters
        Number of the method parameters.

    .. c:member:: parameters
        A zero-based array of method parameters. Individual parameters can be accessed by using the [] operator.

        .. c:member:: name
            Parameter name.

        .. c:member:: type
            Parameter type.

    .. c:member:: number_of_generic_parameters
        Number of the method generic parameters.

    .. c:member:: generic_parameters
        A zero-based array of method generic parameters. Individual parameters can be accessed by using the [] operator.

*Example: dotnet.classes[0].fullname == "Launcher.Program"*

The number of resources in the .NET file. These are different from normal PE
resources.

A zero-based array of resource objects, one for each resource the .NET file
has.  Individual resources can be accessed by using the [] operator. Each
resource object has the following attributes:

.. c:member:: offset

    Offset for the resource data.

.. c:member:: length

    Length of the resource data.

.. c:member:: name

    Name of the resource (string).

*Example: uint16be(dotnet.resources[0].offset) == 0x4d5a*

Object for .NET assembly information.

.. c:member:: version

    An object with integer values representing version information for this
    assembly. Attributes are:

    ``major``
    ``minor``
    ``build_number``
    ``revision_number``

.. c:member:: name

    String containing the assembly name.

.. c:member:: culture

    String containing the culture (language/country/region) for this
    assembly.

*Example: dotnet.assembly.name == "Keylogger"*

*Example: dotnet.assembly.version.major == 7 and dotnet.assembly.version.minor == 0*

The number of module references in the .NET file.

A zero-based array of strings, one for each module reference the .NET file
has.  Individual module references can be accessed by using the []
operator.

*Example: dotnet.modulerefs[0] == "kernel32"*

The typelib of the file.

The number of constants in the .NET file.

A zero-based array of strings, one for each constant the .NET file has. 
Individual constants can be accessed by using the [] operator.

The number of objects for .NET assembly reference information.

Object for .NET assembly reference information.

.. c:member:: version

    An object with integer values representing version information for this
    assembly. Attributes are:

    ``major``
    ``minor``
    ``build_number``
    ``revision_number``

.. c:member:: name

    String containing the assembly name.

.. c:member:: public_key_or_token

    String containing the public key or token which identifies the author of
    this assembly.

The number of user strings in the file.

An zero-based array of user strings, one for each stream contained in the
file. Individual strings can be accessed by using the [] operator.

The number of fields in the field_offsets array.

A zero-based array of integers, one for each field. Individual field offsets
can be accessed by using the [] operator.

*Example: dotnet.field_offsets[0] == 8675309*

.. versionadded:: 4.2.0

Function returning true if the PE is indeed .NET.

*Example: dotnet.is_dotnet*