From 34bff7352ba3e07ba39587d21ea0271cafff2e68 Mon Sep 17 00:00:00 2001
From: Mike Hunhoff <mike.hunhoff@gmail.com>
Date: Tue, 7 Feb 2023 08:56:19 -0700
Subject: [PATCH] adding rules to detect .NET reflection techniques (#690)

* adding rules to detect .NET reflection techniques
---
 .../generate-method-via-reflection-in-dotnet.yml | 16 ++++++++++++++++
 ...anaged-call-via-dynamic-pinvoke-in-dotnet.yml | 15 +++++++++++++++
 nursery/unmanaged-call.yml                       |  1 +
 3 files changed, 32 insertions(+)
 create mode 100644 nursery/generate-method-via-reflection-in-dotnet.yml
 create mode 100644 nursery/unmanaged-call-via-dynamic-pinvoke-in-dotnet.yml

diff --git a/nursery/generate-method-via-reflection-in-dotnet.yml b/nursery/generate-method-via-reflection-in-dotnet.yml
new file mode 100644
index 000000000..7eb4e8932
--- /dev/null
+++ b/nursery/generate-method-via-reflection-in-dotnet.yml
@@ -0,0 +1,16 @@
+rule:
+  meta:
+    name: generate method via reflection in .NET
+    namespace: load-code/dotnet
+    authors:
+      - michael.hunhoff@mandiant.com
+    description: https://github.com/bohops/DynamicDotNet/blob/main/assembly_loader/DynamicAssemblyLoader.cs
+    scope: function
+  features:
+    - or:
+      - api: System.Reflection.Emit.DynamicMethod::ctor
+      - api: System.Reflection.Emit.DynamicMethod::GetILGenerator
+      - api: System.Reflection.Emit.ILGenerator::Emit
+      - api: System.Reflection.Emit.ILGenerator::EmitCall
+      - api: System.Reflection.Emit.ILGenerator::EmitCalli
+      - api: System.Reflection.Emit.ILGenerator::EmitWriteLine
diff --git a/nursery/unmanaged-call-via-dynamic-pinvoke-in-dotnet.yml b/nursery/unmanaged-call-via-dynamic-pinvoke-in-dotnet.yml
new file mode 100644
index 000000000..bb317854f
--- /dev/null
+++ b/nursery/unmanaged-call-via-dynamic-pinvoke-in-dotnet.yml
@@ -0,0 +1,15 @@
+rule:
+  meta:
+    name: unmanaged call via dynamic PInvoke in .NET
+    namespace: runtime/dotnet
+    authors:
+      - michael.hunhoff@mandiant.com
+    description: https://github.com/bohops/DynamicDotNet/blob/main/dynamic_pinvoke/dynamic_pinvoke_definepinvokemethod_shellcode_runner.cs
+    scope: function
+  features:
+    - and:
+      - or:
+        - api: System.Reflection.Emit.ModuleBuilder::DefinePInvokeMethod
+        - api: System.Reflection.Emit.TypeBuilder::DefinePInvokeMethod
+      - optional:
+        - api: System.Reflection.MethodBase::Invoke
diff --git a/nursery/unmanaged-call.yml b/nursery/unmanaged-call.yml
index 1f5006644..bb07ed993 100644
--- a/nursery/unmanaged-call.yml
+++ b/nursery/unmanaged-call.yml
@@ -9,4 +9,5 @@ rule:
   features:
     - or:
       - characteristic: unmanaged call
+      - match: unmanaged call via dynamic PInvoke in .NET
       - api: System.Runtime.InteropServices.Marshal::GetDelegateForFunctionPointer