============================================================
  .NET Malware Analysis
============================================================

  Analyze .NET malware using decompilation, debugging, and deobfuscation. Works for .NET Framework, .NET Core, and mixed-mode assemblies.

  Related FOR610 Labs: 3.12, 4.8

────────────────────────────────────────────────────────────

  Step 1: Identification & Metadata
  Tools: peframe, diec, dnfile, dotnetfile
  Confirm .NET binary (peframe shows 'CLR'). Check
  runtime version (.NET 2/4/Core). Use dnfile or
  dotnetfile for .NET-specific metadata. Note entry
  point and referenced assemblies.

    $ peframe specimen.exe
    $ diec specimen.exe

  Step 2: Obfuscator Detection
  Tools: diec, de4dot
  Detect obfuscator: DIE identifies ConfuserEx, Eziriz
  .NET Reactor, Babel, etc. de4dot -d <sample> reports
  detected obfuscator without modifying the file.

    $ diec specimen.exe
    $ de4dot obfuscated.exe

  Step 3: Decompilation
  Tools: ilspycmd, monodis
  Decompile to C# source: ilspycmd <sample> > output.cs.
  On REMnux use ilspycmd (CLI). Examine: Main() entry,
  suspicious class/method names, embedded resources.

    $ ilspycmd assembly.exe > decompiled.cs

  Step 4: Dynamic Loading Detection
  Tools: visual-studio-code
  Search decompiled code for: Assembly.Load(byte[]),
  Assembly.LoadFrom(), Activator.CreateInstance(),
  MethodInfo.Invoke(), CSharpCodeProvider. These
  indicate runtime code loading.

    $ code filename.js

  Step 5: Deobfuscation
  Tools: de4dot
  Run: de4dot <sample> -o <clean>. If de4dot fails: try
  with --dont-rename flag, or manually rename obfuscated
  symbols. For ConfuserEx: de4dot handles most variants.

    $ de4dot obfuscated.exe

  Step 6: Dynamic Debugging [W]
  Tools: dnspyex
  If static analysis insufficient: load in dnSpyEx, set
  breakpoint on Assembly.Load or suspicious method. Run
  and inspect Locals window for decrypted payloads. Save
  byte[] arrays to disk.

    $ dnSpyEx.exe assembly.exe

  Step 7: Extracted Payload Analysis
  Tools: ilspycmd, peframe
  Analyze extracted payload: is it another .NET
  assembly? (recurse this workflow). Is it a PE file?
  (route to Static Analysis). Document the unpacking
  chain.

    $ ilspycmd assembly.exe > decompiled.cs
    $ peframe specimen.exe

  Step 8: Document Findings
  Record: obfuscator type, .NET version, loading
  mechanism, payload hashes, C2 endpoints found in
  decompiled code, encryption keys/algorithms.

────────────────────────────────────────────────────────────
  Tip: 'fhelp cheat <tool>' for full examples
       'Ctrl+G' for interactive cheatsheet browser