information about Microsoft .NET files.
dot_net_assembly shows information about Microsoft .NET files.
assembly_data: <dictionary> basic data about the assembly manifest.buildnumber: <integer> build number.culture: <string> culture-specific information.flags: <integer> specific characteristics of the assembly (i.e. x86, AMD64, etc.)flags_text: <string> human-readable version of flags.hashalgid: <integer> id of hash used when signed.majorversion: <integer> major version.minorversion: <integer> minor version.name: <string> assembly name.pubkey: <string> public key.revisionnumber: <integer> revision number.
assembly_flags: <integer> other flags regarding the assembly (i.e. requiring 32 bits, etc.)assembly_flags_txt: <string> human-readable version ofassembly_flags.assembly_name: <string> assembly name.clr_meta_version: <string> version number of Common Language Runtime metadata.clr_version: <string> Common Language Runtime version.entry_point_rva: <integer> entry point Relative Virtual Address.entry_point_token: <integer> entry point of the program.external_assemblies: <dictionary> (optional) other assemblies used by this one, with name and version. Key is the assembly name and it has a dictionary as value with aversionkey.exported_types: <list of dictionaries> (optional) contains exported types, with name and name spaces:name: <string> type name.namespace: <string> type namespace.
external_files: (optional) list of references to external files.external_modules: <list of strings> (optional) list of external modules used.manifest_resource: <list of strings> (optional) list of manifest resources.metadata_header_rva: <integer> metadata header Relative Virtual Address.resources_va: <integer> resources Virtual Address.streams: <dictionary> information about assembly streams, names and associated data. Key is the stream name and value is a dictionary having the following fields:chi2: <float> chi-squared test value of stream data.entropy: <float> entropy value of stream data.md5: <string> md5 hash value of stream data.size: <integer> size of stream.
strongname_va: <integer> Relative Virtual Address of the strong name signature hash.tables_present_map: hex value of present tables bitmap.tables_present: <integer> number of tables present in the assembly.tables_rows_map: <string> hex representation of number of rows on each table.tables_rows_map_log: <string> simplified representation of tables_rows_map.type_definition_list: (optional) <list of dictionaries> every entry represents a type definition:namespace: <string> defined types' namespace.type_definitions: <list of strings> defined types.
unmanaged_method_list: <list of dictionaries> (optional) list of methods from external modules. Every item in the list contains the following fields:methods: <list of strings> method names.name: <string> module name.
{
"data": {
...
"attributes" : {
...
"dot_net_assembly": {
"assembly_data": {
"buildnumber": <int>,
"culture": "<string>",
"flags": <int>,
"flags_text": "<string>",
"hashalgid": <int>,
"majorversion": <int>,
"minorversion": <int>,
"name": "<string>",
"pubkey": "<string>",
"revisionnumber": <int>
},
"assembly_flags": <int>,
"assembly_flags_txt": "<string>",
"assembly_name": "<string>",
"clr_meta_version": "<string>",
"clr_version": "<string>",
"entry_point_rva": <int>,
"entry_point_token": <int>,
"exported_types": [
{
"name": "<string>",
"namespace": "<string>"
}, ...
],
"external_assemblies": {
"<string>": {
"version": "<string>"
}, ...
},
"external_files": ["<strings>"],
"external_modules": ["<strings>"],
"manifest_resource": ["<strings>"],
"metadata_header_rva": <int>,
"resources_va": <int>,
"streams": {
"<string>": {
"chi2": <float>,
"entropy": <float>,
"md5": "<string>",
"size": <int>
}, ...
},
"strongname_va": <int>,
"tables_present": <int>,
"tables_present_map": "<string>",
"tables_rows_map": "<string>",
"tables_rows_map_log": "<string>",
"type_definition_list": [
{
"namespace": "<string>",
"type_definitions": ["<strings>",..]
},...
],
"unmanaged_method_list": [
{
"methods": ["<strings>"],
"name": "<string>"
},...
],
"exported_types": {
"<string>": ["<strings>"]
},
},
...
}
}
}
{
"data": {
"attributes": {
"dot_net_assembly": {
"assembly_data": {
"buildnumber": 0,
"culture": "",
"flags": 0,
"flags_text": "afPA_None",
"hashalgid": 32772,
"majorversion": 0,
"minorversion": 4,
"name": "mxzIuI",
"pubkey": "",
"revisionnumber": 0
},
"assembly_flags": 3,
"assembly_flags_txt": "COMIMAGE_FLAGS_ILONLY, COMIMAGE_FLAGS_32BITREQUIRED",
"assembly_name": "blabla.exe",
"clr_meta_version": "1.1",
"clr_version": "v4.0.30319",
"entry_point_rva": 143572,
"entry_point_token": 100663553,
"external_assemblies": {
"System": {
"version": "4.0.0.0"
},
"System.Drawing": {
"version": "4.0.0.0"
}
},
"external_modules": [
"user32.dll",
"kernel32",
"psapi.dll",
"user32",
"User32.dll",
"vaultcli.dll",
"Advapi32",
"bcrypt.dll"
],
"manifest_resource": [
"CustomCastleCrawler.Properties.Resources.resources",
"CustomCastleCrawler.frmClassSelection.resources",
"CustomCastleCrawler.frmCombat.resources"
],
"metadata_header_rva": 69496,
"resources_va": 360888,
"streams": {
"#Blob": {
"chi2": 27145.0,
"entropy": 5.43829870223999,
"md5": "c05920af6fec4f1cb210b91a0edfe80d",
"size": 2952
},
"#GUID": {
"chi2": 272.0,
"entropy": 3.875,
"md5": "af229c84a6d3f35be3c227fb35aa7fc0",
"size": 16
},
"#Strings": {
"chi2": 112163.703125,
"entropy": 5.011016845703125,
"md5": "ef647c108850c8c67ffd51c336c301e9",
"size": 10860
},
"#US": {
"chi2": 2140962.5,
"entropy": 3.9992733001708984,
"md5": "7800337a2c33f5745417e7a3b82ff7bd",
"size": 47392
},
"#~": {
"chi2": 354640.375,
"entropy": 5.539584159851074,
"md5": "b95a1f2f2ec66f2d70ae87bd7009190d",
"size": 12748
}
},
"strongname_va": 0,
"tables_present": 21,
"tables_present_map": "b0929a29d57L",
"tables_rows_map": "18422014401130f101022ca002047000d0315e00f020010040000a3010",
"tables_rows_map_log": "497999949486886445654",
"type_definition_list": [
{
"namespace": "System.Security.Cryptography",
"type_definitions": [
"TripleDESCryptoServiceProvider",
"ICryptoTransform",
"KeySizes",
"SymmetricAlgorithm",
"CipherMode",
"PaddingMode"
]
},
{
"namespace": "System.Reflection",
"type_definitions": [
"AssemblyTitleAttribute",
"AssemblyDescriptionAttribute",
"AssemblyConfigurationAttribute",
"AssemblyCompanyAttribute",
"AssemblyProductAttribute",
"AssemblyCopyrightAttribute",
"AssemblyTrademarkAttribute",
"AssemblyFileVersionAttribute",
"MethodInfo",
"Assembly",
"BindingFlags",
"Binder"
]
},
{
"namespace": "System.Diagnostics",
"type_definitions": [
"DebuggableAttribute",
"DebuggerBrowsableState",
"DebuggerBrowsableAttribute",
"DebuggerNonUserCodeAttribute"
]
}
],
"unmanaged_method_list": [
{
"methods": [
"mciSendString"
],
"name": "winmm.dll"
}
],
"unmanaged_methods": {
"winmm.dll": [
"mciSendString"
]
}
}
}
}
}