From c051113d1041ff36e653675a9bfe9e751d8b1f01 Mon Sep 17 00:00:00 2001
From: AlessandroZ <zanni.alessandro@gmail.com>
Date: Tue, 27 Nov 2018 14:03:24 +0100
Subject: [PATCH] add warning when .NET bin is loaded on memory

---
 pupy/modules/lib/windows/memory_exec.py | 14 +++++++++-----
 pupy/pupylib/utils/pe.py                | 16 +++++++++++++---
 2 files changed, 22 insertions(+), 8 deletions(-)

diff --git a/pupy/modules/lib/windows/memory_exec.py b/pupy/modules/lib/windows/memory_exec.py
index 5718d416..2f94a9bb 100644
--- a/pupy/modules/lib/windows/memory_exec.py
+++ b/pupy/modules/lib/windows/memory_exec.py
@@ -2,10 +2,11 @@
 # -*- coding: utf-8 -*-
 # Copyright (c) 2015, Nicolas VERDIER (contact@n1nj4.eu)
 # Pupy is under the BSD 3-Clause license. see the LICENSE file at the root of the project for the detailed licence terms
-from pupylib.utils.pe import get_pe_arch
+from pupylib.utils.pe import get_pe_arch, is_dotnet_bin
 from modules.lib.utils.cmdrepl import CmdRepl
 import threading
 
+
 def exec_pe(module, prog_args, path=None, raw_pe=None, interactive=False, use_impersonation=False, suspended_process="cmd.exe", codepage=None):
     if not raw_pe and not path:
         raise Exception("raw_pe or path must be supplied")
@@ -16,14 +17,19 @@ def exec_pe(module, prog_args, path=None, raw_pe=None, interactive=False, use_im
         if pe_arch != proc_arch:
             module.error(
                 '%s is a %s PE and your pupy payload is a %s process. '
-                'Please inject a %s PE or migrate into a %s process first'%(
+                'Please inject a %s PE or migrate into a %s process first' % (
                     path, pe_arch, proc_arch, proc_arch, pe_arch))
+            return
 
+        if is_dotnet_bin(path):
+            module.error(
+                '%s is a .Net binary. Right now this kind of binary is not managed and cannot be loaded '
+                'in memory.' % path)
             return
 
     if not raw_pe:
         raw_pe = b''
-        with open(path,'rb') as f:
+        with open(path, 'rb') as f:
             raw_pe = f.read()
 
     dupHandle = None
@@ -58,7 +64,6 @@ def exec_pe(module, prog_args, path=None, raw_pe=None, interactive=False, use_im
         module.client.conn.register_remote_cleanup(
             module.mp.close
         )
-
         if module.mp.execute(complete.set, repl._con_write):
             complete.wait()
             module.mp.close()
@@ -79,5 +84,4 @@ def exec_pe(module, prog_args, path=None, raw_pe=None, interactive=False, use_im
         else:
             module.error('Launch failed')
 
-
     return module.mp.stdout
diff --git a/pupy/pupylib/utils/pe.py b/pupy/pupylib/utils/pe.py
index 5592d8f8..f2e7cd02 100644
--- a/pupy/pupylib/utils/pe.py
+++ b/pupy/pupylib/utils/pe.py
@@ -3,17 +3,27 @@
 
 import pefile
 
+
 def get_pe_arch(*args, **kwargs):
-    pe=None
+    pe = None
     if args:
         pe = pefile.PE(args[0], fast_load=True)
     elif "data" in kwargs:
         pe = pefile.PE(data=kwargs["data"], fast_load=True)
     else:
         raise NameError("at least a path or data must be supplied to get_arch")
-    if pe.OPTIONAL_HEADER.Magic==0x010b:
+    if pe.OPTIONAL_HEADER.Magic == 0x010b:
         return "32bit"
-    elif pe.OPTIONAL_HEADER.Magic==0x020b:
+    elif pe.OPTIONAL_HEADER.Magic == 0x020b:
         return "64bit"
     else:
         return "UNKNOWN"
+
+
+def is_dotnet_bin(*args):
+    pe = pefile.PE(args[0], fast_load=True)
+    is_dotnet = pe.OPTIONAL_HEADER.DATA_DIRECTORY[14]
+    if is_dotnet.VirtualAddress == 0 and is_dotnet.Size == 0:
+        return False
+    else:
+        return True