dotscope 0.6.0

A high-performance, cross-platform framework for analyzing and reverse engineering .NET PE executables
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98

//! Result capture for .NET emulation.
//!
//! This module provides the infrastructure for collecting and storing data
//! intercepted during .NET emulation. The primary entry point is [`CaptureContext`],
//! which serves as the central collection point for all captured data.
//!
//! # Overview
//!
//! During emulation of .NET assemblies, various interesting events occur that
//! reveal the true behavior of obfuscated or packed code. This module captures:
//!
//! - **Assemblies**: Loaded via `Assembly.Load(byte[])` and similar methods,
//!   enabling extraction of packed or encrypted payloads
//! - **Strings**: Decrypted or dynamically generated strings that may reveal
//!   configuration, URLs, registry keys, or other sensitive data
//! - **Buffers**: Raw byte buffers from `Marshal.Copy`, crypto transforms, and
//!   other memory operations
//! - **File Operations**: File system access patterns including reads, writes,
//!   and directory operations
//! - **Network Operations**: TCP/UDP connections, HTTP requests, DNS lookups,
//!   and data transfers
//! - **Method Returns**: Return values from specific monitored methods
//! - **Memory Snapshots**: Point-in-time captures of configured memory regions
//!
//! # Architecture
//!
//! The module is organized into two main components:
//!
//! - [`context`]: Contains [`CaptureContext`], the thread-safe collection point
//! - [`types`]: Defines all data structures for captured items
//!
//! # Usage
//!
//! The capture context is typically created at the start of emulation and shared
//! with the emulation engine. Data is captured automatically as the emulated
//! code executes.
//!
//! ```ignore
//! use dotscope::emulation::capture::CaptureContext;
//!
//! // Create a capture context (captures everything by default)
//! let ctx = CaptureContext::new();
//!
//! // Pass ctx to the emulation engine...
//!
//! // After emulation, retrieve captured data
//! for assembly in ctx.assemblies() {
//!     println!("Extracted assembly: {} bytes", assembly.data.len());
//!     // Save assembly.data to disk for further analysis
//! }
//!
//! for string in ctx.strings() {
//!     println!("Decrypted: {}", string.value);
//! }
//!
//! // Check statistics
//! let stats = ctx.stats();
//! println!("Total captured: {} assemblies, {} strings",
//!          stats.assembly_bytes, stats.string_count);
//! ```
//!
//! # Configuration
//!
//! Capture behavior can be controlled via [`CaptureConfig`](crate::emulation::process::CaptureConfig):
//!
//! ```ignore
//! use dotscope::emulation::capture::CaptureContext;
//! use dotscope::emulation::process::CaptureConfig;
//!
//! // Only capture assemblies (minimal overhead)
//! let ctx = CaptureContext::assemblies_only();
//!
//! // Or with full configuration
//! let config = CaptureConfig {
//!     assemblies: true,
//!     strings: true,
//!     file_operations: false,  // Don't capture file ops
//!     network_operations: false,  // Don't capture network ops
//!     ..Default::default()
//! };
//! let ctx = CaptureContext::with_config(config);
//! ```
//!
//! # Thread Safety
//!
//! [`CaptureContext`] is designed for concurrent access from multiple emulation
//! threads. All capture operations use fine-grained locking and are non-blocking
//! for readers.

mod context;
mod types;

pub use context::CaptureContext;
pub use types::{
    AssemblyLoadMethod, BufferSource, CaptureSource, CapturedAssembly, CapturedBuffer,
    CapturedMethodReturn, CapturedString, FileOpKind, FileOperation, MemorySnapshot, NetworkOpKind,
    NetworkOperation,
};