#
Introduction
We created this project for several reasons. First, while the PE header is documented extensively and used in various ways for malware identification, the CLR header isn't. This is unfortunate, as it offers plenty of information on a .NET assembly that can be useful to detect malware.
Second, there is a lack of public libraries available to parse the header of .NET assemblies that can be easily utilized on scale. There are great projects available like dnlib, AsmResolver or PEReader. However, they're all build in C# which makes it difficult to use if you're not proficient in that language. Also, some are not very comprehensive and poorly documented.
There are some promising open source projects written in Python like netfile and dnfile. However, they partly suffer from the same issues as the libraries built in C#, although the latter one looks quite comprehensive in functionality.
Lastly, we didn't only want to provide an easy-to-use API, but also try to contribute new methods to improve file detection. This includes the MemberRef hash
(experimental) and the original and a modified version of TypeRef hash
.
The aim of this project is to give malware analysts and threat hunters a tool to easily pull out information from the CLR header. You don't need to be an expert in the CLR header and get lost in its specification to use this library. By using the API, you'll also learn how the header is structured and hopefully get a better understanding of this file type in general.
Finally, we want to encourage other people to start digging into the CLR header to find more information that can be used to identify malware.