enumerate PE sections in .NET

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: enumerate PE sections in .NET
    namespace: load-code/pe
    authors:
      - "@mr-tz"
    scopes:
      static: function
      dynamic: unsupported  # requires property features
    mbc:
      - Discovery::Code Discovery::Enumerate PE Sections [B0046.001]
  features:
    - and:
      - format: dotnet
      - optional:
        - api: System.Diagnostics.Process::GetCurrentProcess
        - property/read: System.Diagnostics.ProcessModule::BaseAddress
        - api: System.IntPtr::ToInt32
      - api: System.Runtime.InteropServices.Marshal::ReadInt32
      - number: 0x3C = IMAGE_DOS_HEADER.e_lfanew
      - number: 0x6 = IMAGE_NT_HEADERS.FileHeader.NumberOfSections

last edited: 2023-11-24 10:34:28