adding rules to detect .NET reflection techniques (mandiant#690)

* adding rules to detect .NET reflection techniques

nursery/generate-method-via-reflection-in-dotnet.yml

@@ -0,0 +1,16 @@
+rule:
+  meta:
+    name: generate method via reflection in .NET
+    namespace: load-code/dotnet
+    authors:
+      - [email protected]
+    description: https://github.com/bohops/DynamicDotNet/blob/main/assembly_loader/DynamicAssemblyLoader.cs
+    scope: function
+  features:
+    - or:
+      - api: System.Reflection.Emit.DynamicMethod::ctor
+      - api: System.Reflection.Emit.DynamicMethod::GetILGenerator
+      - api: System.Reflection.Emit.ILGenerator::Emit
+      - api: System.Reflection.Emit.ILGenerator::EmitCall
+      - api: System.Reflection.Emit.ILGenerator::EmitCalli
+      - api: System.Reflection.Emit.ILGenerator::EmitWriteLine

nursery/unmanaged-call-via-dynamic-pinvoke-in-dotnet.yml

@@ -0,0 +1,15 @@
+rule:
+  meta:
+    name: unmanaged call via dynamic PInvoke in .NET
+    namespace: runtime/dotnet
+    authors:
+      - [email protected]
+    description: https://github.com/bohops/DynamicDotNet/blob/main/dynamic_pinvoke/dynamic_pinvoke_definepinvokemethod_shellcode_runner.cs
+    scope: function
+  features:
+    - and:
+      - or:
+        - api: System.Reflection.Emit.ModuleBuilder::DefinePInvokeMethod
+        - api: System.Reflection.Emit.TypeBuilder::DefinePInvokeMethod
+      - optional:
+        - api: System.Reflection.MethodBase::Invoke

nursery/unmanaged-call.yml

@@ -9,4 +9,5 @@ rule:
   features:
     - or:
       - characteristic: unmanaged call
+      - match: unmanaged call via dynamic PInvoke in .NET
       - api: System.Runtime.InteropServices.Marshal::GetDelegateForFunctionPointer