From 83523e848880e6549fdc6dd3bdc79d2ca2ed3d27 Mon Sep 17 00:00:00 2001
From: jtothej <95413053+jtothej@users.noreply.github.com>
Date: Thu, 13 Jul 2023 17:50:50 +0800
Subject: [PATCH] Merge execute-dotnet-assembly-via-clr-host.yml with
 load-windows-common-language-runtime.yml and promote
 load-windows-common-language-runtime.yml

---
 .../execute-dotnet-assembly-via-clr-host.yml  | 28 -----------
 .../load-windows-common-language-runtime.yml  | 46 +++++++++++++++++++
 .../load-windows-common-language-runtime.yml  | 15 ------
 3 files changed, 46 insertions(+), 43 deletions(-)
 delete mode 100644 load-code/dotnet/execute-dotnet-assembly-via-clr-host.yml
 create mode 100644 load-code/dotnet/load-windows-common-language-runtime.yml
 delete mode 100644 nursery/load-windows-common-language-runtime.yml

diff --git a/load-code/dotnet/execute-dotnet-assembly-via-clr-host.yml b/load-code/dotnet/execute-dotnet-assembly-via-clr-host.yml
deleted file mode 100644
index 88f0142ac..000000000
--- a/load-code/dotnet/execute-dotnet-assembly-via-clr-host.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-# generated using capa explorer for IDA Pro
-rule:
-  meta:
-    name: execute .NET assembly via CLR host
-    namespace: load-code/dotnet
-    authors:
-      - blas.kojusner@mandiant.com
-    description: may be used to evade hooks or hinder analysis
-    scope: function
-    references:
-      - https://github.com/TheWover/donut/blob/master/DonutTest/rundotnet.cpp
-    examples:
-      - 6CD1315F6F2FA4F8EE2B98BB3CA0A994:0x140001030
-  features:
-    - and:
-      - bytes: 23 67 2F CB 3A AB D2 11 9C 40 00 C0 4F A3 0A 3E = CLSID_CorRuntimeHost
-      - bytes: 22 67 2F CB 3A AB D2 11 9C 40 00 C0 4F A3 0A 3E = IID_ICorRuntimeHost
-      - api: CorBindToRuntime
-      - optional:
-        - basic block:
-          - or:
-            - and:
-              - operand[0].offset: 0x50 = Start
-              - characteristic: indirect call
-            - and:
-              - operand[0].offset: 0x68 = GetDefaultDomain
-              - characteristic: indirect call
-      - api: SafeArrayCreate
diff --git a/load-code/dotnet/load-windows-common-language-runtime.yml b/load-code/dotnet/load-windows-common-language-runtime.yml
new file mode 100644
index 000000000..de821ea11
--- /dev/null
+++ b/load-code/dotnet/load-windows-common-language-runtime.yml
@@ -0,0 +1,46 @@
+# generated using capa explorer for IDA Pro
+rule:
+  meta:
+    name: load Windows Common Language Runtime
+    namespace: load-code/dotnet
+    authors:
+      - michael.hunhoff@mandiant.com
+      - blas.kojusner@mandiant.com
+      - jakub.jozwiak@mandiant.com
+    scope: function
+    references:
+      - https://modexp.wordpress.com/2019/05/10/dotnet-loader-shellcode/
+      - https://github.com/TheWover/donut/blob/master/loader/inmem_dotnet.c
+    examples:
+      - 6CD1315F6F2FA4F8EE2B98BB3CA0A994:0x140001030
+  features:
+    - or:
+      - and:
+        - description: .NET Framework versions 2.0, 3.0, 3.5
+        - or:
+          - api: mscoree.CorBindToRuntime
+          - api: mscoree.CorBindToRuntimeEx
+          - api: mscoree.CorBindToRuntimeHost
+          - api: mscoree.CorBindToRuntimeByCfg
+          - api: mscoree.CorBindToCurrentRuntime
+          - api: ole32.CoCreateInstance
+          - and:
+            - or:
+              - string: "CorBindToRuntime"
+              - string: "CorBindToRuntimeEx"
+              - string: "CorBindToRuntimeHost"
+              - string: "CorBindToRuntimeByCfg"
+              - string: "CorBindToCurrentRuntime"
+              - string: "CoCreateInstance"
+            - match: link function at runtime on Windows
+        - bytes: 23 67 2F CB 3A AB D2 11 9C 40 00 C0 4F A3 0A 3E = CLSID_CorRuntimeHost
+        - bytes: 22 67 2F CB 3A AB D2 11 9C 40 00 C0 4F A3 0A 3E = IID_ICorRuntimeHost
+      - and:
+        - description: .NET Framework version 4.x
+        - or:
+          - api: mscoree.CLRCreateInstance
+          - and:
+            - string: "CLRCreateInstance"
+            - match: link function at runtime on Windows
+        - bytes: 8D 18 80 92 8E 0E 67 48 B3 0C 7F A8 38 84 E8 DE = CLSID_CLRMetaHost
+        - bytes: 9E DB 32 D3 B3 B9 25 41 82 07 A1 48 84 F5 32 16 = IID_ICLRMetaHost
diff --git a/nursery/load-windows-common-language-runtime.yml b/nursery/load-windows-common-language-runtime.yml
deleted file mode 100644
index 6251b99bb..000000000
--- a/nursery/load-windows-common-language-runtime.yml
+++ /dev/null
@@ -1,15 +0,0 @@
-# generated using capa explorer for IDA Pro
-rule:
-  meta:
-    name: load Windows Common Language Runtime
-    namespace: load-code/dotnet
-    authors:
-      - michael.hunhoff@mandiant.com
-    scope: basic block
-  features:
-    - or:
-      - api: mscoree.CorBindToRuntime
-      - api: mscoree.CorBindToRuntimeEx
-      - api: mscoree.CorBindToRuntimeHost
-      - api: mscoree.CorBindToRuntimeByCfg
-      - api: mscoree.CorBindToCurrentRuntime