# MethodDef

The MethodDef table contains various information about defined methods.

# Get defined method names

MethodDef.get_method_names(method_access: int) -> List[str]

Get a list of defined method names.

Parameters:

visibility The access level of the defined methods. Options:
- MethodDefMemberAccess.COMPILERCONTROLLED
- MethodDefMemberAccess.PRIVATE
- MethodDefMemberAccess.FAMANDASSEM
- MethodDefMemberAccess.ASSEM
- MethodDefMemberAccess.FAMILY
- MethodDefMemberAccess.FAMORASSEM
- MethodDefMemberAccess.PUBLIC
- MethodDefMemberAccess.ANY (on by default)

Return value:

A list with defined methods names

Example:

# Import class DotNetPE from module dotnetfile
from dotnetfile import DotNetPE

# Create an instance of DotNetPE with the file path as a parameter
dotnet_file = DotNetPE('/Users/<username>/my_dotnet_assembly.exe')

# Check if the "MethodDef" table exists
if dotnet_file.metadata_table_exists('MethodDef'):
    # Get list with all defined methods names
    method_names = dotnet_file.MethodDef.get_method_names()

    # Print out the defined method names
    for method_name in method_names:
        print(f'{method_name}')

# Get Windows Forms app entry point

MethodDef.get_windows_forms_app_entry_point() -> List[Optional[Struct.EntryPoint]]

Get the entry point of a Windows forms app.

This method is more like an internal one, but might be still useful in some situations.

Parameters:

Return value:

The result is a list with a EntryPoint dataclass object with the following values:

Method str Method name
Signature Dict Additional method information:
- hasthis bool Method has a "this" pointer
- return str Return value
- parameter Tuple[str] Parameter(s)
Type str Type name
Namespace str Namespace name

Example:

# Import class DotNetPE from module dotnetfile
from dotnetfile import DotNetPE

# Create an instance of DotNetPE with the file path as a parameter
dotnet_file = DotNetPE('/Users/<username>/my_dotnet_assembly.dll')

# Check if the "MethodDef" table exists
if dotnet_file.metadata_table_exists('MethodDef'):
    # Get list with all defined methods names
    entry_point = dotnet_file.MethodDef.get_windows_forms_app_entry_point()

    # Print out entry point information
    print(f'Method: {entry_point[0].Method}')
    print(f'Type: {entry_point[0].Type}')
    print(f'Namespace: {entry_point[0].Namespace}')
    if entry_point[0].Signature:
        print('Signature:')
        print(f'\tParameter: {entry_point[0].Signature["parameter"]}')
        print(f'\tReturn value: {entry_point[0].Signature["return"]}')
        print(f'\tHas this pointer: {entry_point[0].Signature["hasthis"]}')

# Get possible entry points (DLL)

MethodDef.get_entry_points() -> List[Optional[Struct.EntryPoint]]

Get a list of possible entry points (public methods) of a .NET DLL along with their types, namespace and parameters.

.NET DLLs don't need to have a defined entry point in contrast to native PE DLLs that always have the DllMain function. Without knowing the real entry point, the execution of a .NET DLL likely won't work or will result in a crash. In order to be able to make a dynamic analysis of these files and fully detonate them, you have to call the supposed entry point method(s).

Parameters:

Return value:

The result is a list with EntryPoint dataclass objects:

Method str Method name
Signature Dict Additional method information:
- hasthis bool Method has a "this" pointer
- return str Return value
- parameter Tuple[str] Parameter(s)
Type str Type name
Namespace str Namespace name

Example:

# Import class DotNetPE from module dotnetfile
from dotnetfile import DotNetPE

# Create an instance of DotNetPE with the file path as a parameter
dotnet_file = DotNetPE('/Users/<username>/my_dotnet_assembly.dll')

# Check if the "MethodDef" table exists
if dotnet_file.metadata_table_exists('MethodDef'):
    # Get all possible entry points of the .NET DLL
    entry_points = dotnet_file.MethodDef.get_entry_points()

    # Print out the entry point data
    for entry_point in entry_points:
        print(f'Method: {entry_point.Method}')
        print(f'Type: {entry_point.Type}')
        print(f'Namespace: {entry_point.Namespace}')
        if entry_point.Signature:
            print('Signature:')
            print(f'\tParameter: {entry_point.Signature["parameter"]}')
            print(f'\tReturn value: {entry_point.Signature["return"]}')
            print(f'\tHas this pointer: {entry_point.Signature["hasthis"]}')
        print('---')