Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Extend dotnet module #1670

Open
wants to merge 20 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 6 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
1 change: 1 addition & 0 deletions CONTRIBUTORS
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ Hilko Bengen <bengen@hilluzination.de>
Joachim Metz <joachim.metz@gmail.com>
Karl Hiramoto <karl.hiramoto@virustotal.com>
Mike Wiacek <mjwiacek@google.com>
Paul Tarter <paul.tarter@mandiant.com>;<tarterp@gmail.com>
Shane Huntley <shuntley@google.com>
Stefan Buehlmann <stefan.buehlmann@joebox.org>
Victor M. Alvarez <plusvic@gmail.com>;<vmalvarez@virustotal.com>
Expand Down
178 changes: 175 additions & 3 deletions docs/modules/dotnet.rst
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,31 @@ using attributes and features of the .NET file format. Let's see some examples:
Reference
---------

.. c:type:: major_runtime_version

The major version contained in the CLI header

.. c:type:: minor_runtime_version

The major version contained in the CLI header
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/major/minor/


.. c:type:: flags

CLI header runtime flags contains the following values

.. c:type:: COMIMAGE_FLAGS_ILONLY
.. c:type:: COMIMAGE_FLAGS_32BITREQUIRED
.. c:type:: COMIMAGE_FLAGS_IL_LIBRARY
.. c:type:: COMIMAGE_FLAGS_STRONGNAMESIGNED
.. c:type:: COMIMAGE_FLAGS_NATIVE_ENTRYPOINT
.. c:type:: COMIMAGE_FLAGS_TRACKDEBUGDATA

.. c:type:: entry_point

If CORHEADER_NATIVE_ENTRYPOINT is set, entry_point represents an RVA
to a native entrypoint. If CORHEADER_NATIVE_ENTRYPOINT is not set,
entry_point represents a managed entrypoint.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

represents an RVA to a managed entrypoint.

This way it is clear that in both cases it is an RVA.


.. c:type:: version

The version string contained in the metadata root.
Expand All @@ -53,12 +78,12 @@ Reference
stream object has the following attributes:

.. c:member:: name

Stream name.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: whitespace added here.

Stream name

.. c:member:: offset

Stream offset.
Stream offset

.. c:member:: size

Expand Down Expand Up @@ -168,6 +193,153 @@ Reference
String containing the public key or token which identifies the author of
this assembly.

.. c:type:: number_of_memberrefs

the number of memberrefs in the file

.. c:type:: memberrefs

a zero-based array of memberrefs associating Methods to fields of a class.
Individual memberrefs can be access by using the [] operator. Each
memberref has the following attributes:

.. c:member:: name

memberref name

*Example: dotnet.memberrefs[18].name == "CompareTo"*


Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: extra newlines here.


.. c:type:: number_of_methods

the number of methods in the file

.. c:type:: methods

A zero-based array of methods associating operations with a type. Individual
methods can be accessed by using the [] operator. Each method has the
following attributes:

.. c:member:: rva

A relative virtual address of the method

.. c:member:: impl_flags

Integer representing method implementation attributes with one of the
following values:

.. c:type:: METHOD_IMPL_FLAGS_CODE_TYPE_MASK
.. c:type:: METHOD_IMPL_FLAGS_IL
.. c:type:: METHOD_IMPL_FLAGS_IS_NATIVE
.. c:type:: METHOD_IMPL_FLAGS_OPTIL
.. c:type:: METHOD_IMPL_FLAGS_RUNTIME
.. c:type:: METHOD_IMPL_FLAGS_MANAGED_MASK
.. c:type:: METHOD_IMPL_FLAGS_UNMANAGED
.. c:type:: METHOD_IMPL_FLAGS_MANAGED
.. c:type:: METHOD_IMPL_FLAGS_FORWARD_REF
.. c:type:: METHOD_IMPL_FLAGS_PRESERVE_SIG
.. c:type:: METHOD_IMPL_FLAGS_INTERNAL_CALL
.. c:type:: METHOD_IMPL_FLAGS_SYNCHRONIZED
.. c:type:: METHOD_IMPL_FLAGS_NO_INLINING
.. c:type:: METHOD_IMPL_FLAGS_NO_OPTIMIZATION

*Example: dotnet.methods[0].impl_flags & dotnet.METHOD_IMPL_FLAGS_IS_NATIVE*

.. c:member:: flags

.. c:type:: METHOD_FLAGS_MEMBER_ACCESS_MASK
.. c:type:: METHOD_FLAGS_COMPILER_CONTROLLED
.. c:type:: METHOD_FLAGS_PRIVATE
.. c:type:: METHOD_FLAGS_FAM_AND_ASSEM
.. c:type:: METHOD_FLAGS_ASSEM
.. c:type:: METHOD_FLAGS_FAMILY
.. c:type:: METHOD_FLAGS_FAM_OR_ASSEM
.. c:type:: METHOD_FLAGS_PUBLIC
.. c:type:: METHOD_FLAGS_STATIC
.. c:type:: METHOD_FLAGS_FINAL
.. c:type:: METHOD_FLAGS_VIRTUAL
.. c:type:: METHOD_FLAGS_HIDE_BY_SIG
.. c:type:: METHOD_FLAGS_VTABLE_LAYOUT_MASK
.. c:type:: METHOD_FLAGS_REUSE_SLOT
.. c:type:: METHOD_FLAGS_NEW_SLOT
.. c:type:: METHOD_FLAGS_STRICT
.. c:type:: METHOD_FLAGS_ABSTRACT
.. c:type:: METHOD_FLAGS_SPECIAL_NAME
.. c:type:: METHOD_FLAGS_PINVOKE_IMPL
.. c:type:: METHOD_FLAGS_UNMANAGED_EXPORT
.. c:type:: METHOD_FLAGS_RTS_SPECIAL_NAME
.. c:type:: METHOD_FLAGS_HAS_SECURITY
.. c:type:: METHOD_FLAGS_REQUIRE_SEC_OBJECT

*Example: dotnet.methods[0].Flags & dotnet.METHOD_FLAGS_STATIC*

.. c:member:: name

method name

*Example: dotnet.methods[0].name == "Foo"*

.. c:type:: number_of_typerefs

the number of type references in the file

.. c:type:: typerefs

A zero based array of type references, logical descriptions of user-defined
types that are referenced in the current module. Individual typerefs can
be access by using the [] operator. Each typeref has the following
attributes:

.. c:member:: name

typeref name

*Example: dotnet.typerefs[0].name == "Decoder"*

.. c:member:: nameSpace

typeref namespace

*Example: dotnet.typerefs[0].namespace == "System.Text"*

.. c:type:: number_of_impl_maps

The number of PInvoke implmaps in the file

.. c:type:: impl_maps

A zero based array of impl_map table row. Each entry holds information
about unmanaged methods that can be reached from managed code, using PInvoke
dispatch. A row is entered in the impl_map table for each parent method that
is defined with a .pinvokeimpl interoperation attribute. Individual
impl_maps can be accessed by using the [] operator.Each impl_map has the
tarterp marked this conversation as resolved.
Show resolved Hide resolved
following attributes.

.. c:member:: import_name

impl_map import name

.. c:member:: mapping_flags

Integer representing flags for the impl_map entry with one of the
following values:

.. c:type:: PINVOKE_FLAGS_NO_MANGLE
.. c:type:: PINVOKE_FLAGS_CHAR_SET_MASK
.. c:type:: PINVOKE_FLAGS_CHAR_SET_NOT_SPEC
.. c:type:: PINVOKE_FLAGS_CHAR_SET_ANSI
.. c:type:: PINVOKE_FLAGS_CHAR_SET_UNICODE
.. c:type:: PINVOKE_FLAGS_CHAR_SET_AUTO
.. c:type:: PINVOKE_FLAGS_SUPPORT_GET_LAST_ERROR
.. c:type:: PINVOKE_FLAGS_CALL_CONV_MASK
.. c:type:: PINVOKE_FLAGS_CALL_CONV_PLATFORM_API
.. c:type:: PINVOKE_FLAGS_CALL_CONV_CDECL
.. c:type:: PINVOKE_FLAGS_CALL_CONV_STDCALL
.. c:type:: PINVOKE_FLAGS_CALL_CONV_THISCALL
.. c:type:: PINVOKE_FLAGS_CALL_CONV_FASTCALL

.. c:type:: number_of_user_strings

The number of user strings in the file.
Expand Down