Dotnetfile: parsing .NET PE files has never been easier

Presented at REcon 2022, June 5, 2022, 4 p.m. (30 minutes)

The .NET PE file format is one of the most complicated file formats, documented in hundreds of pages of technical spec. Parsing the .NET PE file format without reliance on the .NET framework is a challenging task. In addition, .NET is popular amongst malware authors, offering high-level programming capabilities and useful features for malware development. During the past few years, a pure-python library to parse .NET PE files has been developed internally within Palo Alto Networks. Now it is time to open-source it and share it with the research community. The library is called "dotnetfile" and provides an easy-to-use interface to access various fields of the .NET file format and extract valuable information. In this talk, we will publicly share the library for the first time and discuss its usage. Working in the field of malware research, we will also share a few success stories in which the library helped us to accurately detect .NET based malware families.

Presenters:

• Yaron Samuel
  Yaron Samuel is a principal malware reverse engineer at Palo Alto Networks. Yaron spent over 10 years in the field of security research, focused on malware analysis and OS internals. Yaron previously published a few blog posts in the Unit42 blog and got credited by MSRC for a number of reported vulnerabilities.

Links:

• https://cfp.recon.cx/2022/talk/AAT9FB/

Similar Presentations:

• DEF CON 27 (2019) / .NET Malware Threats: Internals And Reversing
• Black Hat USA 2011 / Constant Insecurity: Things you didn't know about (PE) Portable Executable file format
• Summercon 2014 / The Agony and the Ecstasy of .NET Application Exploitation