irt/docker_file_analysis
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add markdown wiki with 473 pages and zk browser

Browse Source 
Generate interlinked wiki from master inventory: 397 tool pages,
15 workflow pages, 27 recipe pages, 33 category pages, plus index.
All pages use [[wiki-links]] for cross-navigation between tools,
workflows, recipes, and categories (1782 links total).

Install zk for interactive browsing with fzf search, tag filtering,
and backlink discovery. Add 'fhelp wiki' command and Makefile target.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
tobias
2026-03-28 19:50:36 +01:00
parent b13db23a5e
commit e62a14dafc
478 changed files with 7683 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
data/generated/wiki/workflows/dotnet-analysis-workflow.md
+74
View File
@@ -0,0 +1,74 @@
# .NET Malware Analysis
> Analyze .NET malware using decompilation, debugging, and deobfuscation. Works for .NET Framework, .NET Core, and mixed-mode assemblies.
**FOR610 Labs:** 3.12, 4.8
## Steps
### Step 1: Identification & Metadata
**Tools:** [[tools/peframe|peframe]], [[tools/diec|diec]], [[tools/dnfile|dnfile]], [[tools/dotnetfile|dotnetfile]]
Confirm .NET binary (peframe shows 'CLR'). Check runtime version (.NET 2/4/Core). Use dnfile or dotnetfile for .NET-specific metadata. Note entry point and referenced assemblies.
```bash
peframe specimen.exe
diec specimen.exe
```
### Step 2: Obfuscator Detection
**Tools:** [[tools/diec|diec]], [[tools/de4dot|de4dot]]
Detect obfuscator: DIE identifies ConfuserEx, Eziriz .NET Reactor, Babel, etc. de4dot -d <sample> reports detected obfuscator without modifying the file.
```bash
diec specimen.exe
de4dot obfuscated.exe
```
### Step 3: Decompilation
**Tools:** [[tools/ilspycmd|ilspycmd]], [[tools/monodis|monodis]]
Decompile to C# source: ilspycmd <sample> > output.cs. On REMnux use ilspycmd (CLI). Examine: Main() entry, suspicious class/method names, embedded resources.
```bash
ilspycmd assembly.exe > decompiled.cs
```
### Step 4: Dynamic Loading Detection
**Tools:** [[tools/visual-studio-code|visual-studio-code]]
Search decompiled code for: Assembly.Load(byte[]), Assembly.LoadFrom(), Activator.CreateInstance(), MethodInfo.Invoke(), CSharpCodeProvider. These indicate runtime code loading.
```bash
code filename.js
```
### Step 5: Deobfuscation
**Tools:** [[tools/de4dot|de4dot]]
Run: de4dot <sample> -o <clean>. If de4dot fails: try with --dont-rename flag, or manually rename obfuscated symbols. For ConfuserEx: de4dot handles most variants.
```bash
de4dot obfuscated.exe
```
### Step 6: Dynamic Debugging [W]
**Tools:** [[tools/dnspyex|dnspyex]]
If static analysis insufficient: load in dnSpyEx, set breakpoint on Assembly.Load or suspicious method. Run and inspect Locals window for decrypted payloads. Save byte[] arrays to disk.
### Step 7: Extracted Payload Analysis
**Tools:** [[tools/ilspycmd|ilspycmd]], [[tools/peframe|peframe]]
Analyze extracted payload: is it another .NET assembly? (recurse this workflow). Is it a PE file? (route to Static Analysis). Document the unpacking chain.
```bash
ilspycmd assembly.exe > decompiled.cs
peframe specimen.exe
```
### Step 8: Document Findings
Record: obfuscator type, .NET version, loading mechanism, payload hashes, C2 endpoints found in decompiled code, encryption keys/algorithms.
#dotnet #decompilation #deobfuscation #ilspy #de4dot #workflow