Remove check in dotnet_is_dotnet that doesn't seem necessary.

plusvic · plusvic · commit a0241546df20 · 2024-03-07T10:39:43.000+01:00
This function was checking the first two bytes at the entrypoint of .NET files, if the bytes were not `FF 25` the file was not considered a .NET file. This check was overly restrictive, as some files like `8fa7fe73a65296e9ca8301734a0deaa298cda0b7a65f6b7d2ef6d1c8bbb8cd7a` don't have such files at the entrypoint.
diff --git a/libyara/modules/dotnet/dotnet.c b/libyara/modules/dotnet/dotnet.c
@@ -3288,19 +3288,6 @@ static bool dotnet_is_dotnet(PE* pe)
         IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR)
       return false;
   }
-  else if (!(pe->header->FileHeader.Characteristics & IMAGE_FILE_DLL))  // 32bit
-  {
-    // Check first 2 bytes of the Entry point are equal to 0xFF 0x25
-    int64_t entry_offset = pe_rva_to_offset(
-        pe, yr_le32toh(pe->header->OptionalHeader.AddressOfEntryPoint));
-
-    if (entry_offset < 0 || !fits_in_pe(pe, pe->data + entry_offset, 2))
-      return false;
-
-    const uint8_t* entry_data = pe->data + entry_offset;
-    if (!(entry_data[0] == 0xFF && entry_data[1] == 0x25))
-      return false;
-  }
 
   return true;
 }
