# .NET Malware Analysis
> Analyze .NET malware using decompilation, debugging, and deobfuscation. Works for .NET Framework, .NET Core, and mixed-mode assemblies.

**FOR610 Labs:** 3.12, 4.8

## Steps

### Step 1: Identification & Metadata
**Tools:** [[tools/peframe|peframe]], [[tools/diec|diec]], [[tools/dnfile|dnfile]], [[tools/dotnetfile|dotnetfile]]

Confirm .NET binary (peframe shows 'CLR'). Check runtime version (.NET 2/4/Core). Use dnfile or dotnetfile for .NET-specific metadata. Note entry point and referenced assemblies.

```bash
peframe specimen.exe
diec specimen.exe
```

### Step 2: Obfuscator Detection
**Tools:** [[tools/diec|diec]], [[tools/de4dot|de4dot]]

Detect obfuscator: DIE identifies ConfuserEx, Eziriz .NET Reactor, Babel, etc. de4dot -d <sample> reports detected obfuscator without modifying the file.

```bash
diec specimen.exe
de4dot obfuscated.exe
```

### Step 3: Decompilation
**Tools:** [[tools/ilspycmd|ilspycmd]], [[tools/monodis|monodis]]

Decompile to C# source: ilspycmd <sample> > output.cs. On REMnux use ilspycmd (CLI). Examine: Main() entry, suspicious class/method names, embedded resources.

```bash
ilspycmd assembly.exe > decompiled.cs
```

### Step 4: Dynamic Loading Detection
**Tools:** [[tools/visual-studio-code|visual-studio-code]]

Search decompiled code for: Assembly.Load(byte[]), Assembly.LoadFrom(), Activator.CreateInstance(), MethodInfo.Invoke(), CSharpCodeProvider. These indicate runtime code loading.

```bash
code filename.js
```

### Step 5: Deobfuscation
**Tools:** [[tools/de4dot|de4dot]]

Run: de4dot <sample> -o <clean>. If de4dot fails: try with --dont-rename flag, or manually rename obfuscated symbols. For ConfuserEx: de4dot handles most variants.

```bash
de4dot obfuscated.exe
```

### Step 6: Dynamic Debugging [W]
**Tools:** [[tools/dnspyex|dnspyex]]

If static analysis insufficient: load in dnSpyEx, set breakpoint on Assembly.Load or suspicious method. Run and inspect Locals window for decrypted payloads. Save byte[] arrays to disk.

### Step 7: Extracted Payload Analysis
**Tools:** [[tools/ilspycmd|ilspycmd]], [[tools/peframe|peframe]]

Analyze extracted payload: is it another .NET assembly? (recurse this workflow). Is it a PE file? (route to Static Analysis). Document the unpacking chain.

```bash
ilspycmd assembly.exe > decompiled.cs
peframe specimen.exe
```

### Step 8: Document Findings

Record: obfuscator type, .NET version, loading mechanism, payload hashes, C2 endpoints found in decompiled code, encryption keys/algorithms.

#dotnet #decompilation #deobfuscation #ilspy #de4dot #workflow