load Windows Common Language Runtime

# generated using capa explorer for IDA Pro
rule:
  meta:
    name: load Windows Common Language Runtime
    namespace: load-code/dotnet
    authors:
      - michael.hunhoff@mandiant.com
      - blas.kojusner@mandiant.com
      - jakub.jozwiak@mandiant.com
    scopes:
      static: function
      dynamic: unsupported
    references:
      - https://modexp.wordpress.com/2019/05/10/dotnet-loader-shellcode/
      - https://github.com/TheWover/donut/blob/master/loader/inmem_dotnet.c
    examples:
      - 6CD1315F6F2FA4F8EE2B98BB3CA0A994:0x140001030
  features:
    - or:
      - and:
        - description: .NET Framework versions 2.0, 3.0, 3.5
        - or:
          - api: mscoree.CorBindToRuntime
          - api: mscoree.CorBindToRuntimeEx
          - api: mscoree.CorBindToRuntimeHost
          - api: mscoree.CorBindToRuntimeByCfg
          - api: mscoree.CorBindToCurrentRuntime
          - api: ole32.CoCreateInstance
          - and:
            - or:
              - string: "CorBindToRuntime"
              - string: "CorBindToRuntimeEx"
              - string: "CorBindToRuntimeHost"
              - string: "CorBindToRuntimeByCfg"
              - string: "CorBindToCurrentRuntime"
              - string: "CoCreateInstance"
            - match: link function at runtime on Windows
        - bytes: 23 67 2F CB 3A AB D2 11 9C 40 00 C0 4F A3 0A 3E = CLSID_CorRuntimeHost
        - bytes: 22 67 2F CB 3A AB D2 11 9C 40 00 C0 4F A3 0A 3E = IID_ICorRuntimeHost
      - and:
        - description: .NET Framework version 4.x
        - or:
          - api: mscoree.CLRCreateInstance
          - and:
            - string: "CLRCreateInstance"
            - match: link function at runtime on Windows
        - bytes: 8D 18 80 92 8E 0E 67 48 B3 0C 7F A8 38 84 E8 DE = CLSID_CLRMetaHost
        - bytes: 9E DB 32 D3 B3 B9 25 41 82 07 A1 48 84 F5 32 16 = IID_ICLRMetaHost