unmanaged call

rule:
  meta:
    name: unmanaged call
    namespace: runtime
    authors:
      - michael.hunhoff@mandiant.com
    description: managed code calls unmanaged (native) code, often seen in .NET
    scopes:
      static: function
      dynamic: unsupported
  features:
    - or:
      - characteristic: unmanaged call
      - match: unmanaged call via dynamic PInvoke in .NET
      - api: System.Runtime.InteropServices.Marshal::GetDelegateForFunctionPointer