irt/docker_file_analysis
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
6349c3aa8eabcec89abaa0e4108b8b63320c7c44
docker_file_analysis/data/generated/wiki/workflows/dotnet-analysis-workflow.md
T
tobias e62a14dafc Add markdown wiki with 473 pages and zk browser 
Generate interlinked wiki from master inventory: 397 tool pages,
15 workflow pages, 27 recipe pages, 33 category pages, plus index.
All pages use [[wiki-links]] for cross-navigation between tools,
workflows, recipes, and categories (1782 links total).

Install zk for interactive browsing with fzf search, tag filtering,
and backlink discovery. Add 'fhelp wiki' command and Makefile target.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 19:50:36 +01:00

2.5 KiB
Raw Blame History

.NET Malware Analysis

Analyze .NET malware using decompilation, debugging, and deobfuscation. Works for .NET Framework, .NET Core, and mixed-mode assemblies.

FOR610 Labs: 3.12, 4.8

Steps

Step 1: Identification & Metadata

Tools: tools/peframe, tools/diec, tools/dnfile, tools/dotnetfile

Confirm .NET binary (peframe shows 'CLR'). Check runtime version (.NET 2/4/Core). Use dnfile or dotnetfile for .NET-specific metadata. Note entry point and referenced assemblies.

peframe specimen.exe
diec specimen.exe

Step 2: Obfuscator Detection

Tools: tools/diec, tools/de4dot

Detect obfuscator: DIE identifies ConfuserEx, Eziriz .NET Reactor, Babel, etc. de4dot -d reports detected obfuscator without modifying the file.

diec specimen.exe
de4dot obfuscated.exe

Step 3: Decompilation

Tools: tools/ilspycmd, tools/monodis

Decompile to C# source: ilspycmd > output.cs. On REMnux use ilspycmd (CLI). Examine: Main() entry, suspicious class/method names, embedded resources.

ilspycmd assembly.exe > decompiled.cs

Step 4: Dynamic Loading Detection

Tools: tools/visual-studio-code

Search decompiled code for: Assembly.Load(byte[]), Assembly.LoadFrom(), Activator.CreateInstance(), MethodInfo.Invoke(), CSharpCodeProvider. These indicate runtime code loading.

code filename.js

Step 5: Deobfuscation

Tools: tools/de4dot

Run: de4dot -o . If de4dot fails: try with --dont-rename flag, or manually rename obfuscated symbols. For ConfuserEx: de4dot handles most variants.

de4dot obfuscated.exe

Step 6: Dynamic Debugging [W]

Tools: tools/dnspyex

If static analysis insufficient: load in dnSpyEx, set breakpoint on Assembly.Load or suspicious method. Run and inspect Locals window for decrypted payloads. Save byte[] arrays to disk.

Step 7: Extracted Payload Analysis

Tools: tools/ilspycmd, tools/peframe

Analyze extracted payload: is it another .NET assembly? (recurse this workflow). Is it a PE file? (route to Static Analysis). Document the unpacking chain.

ilspycmd assembly.exe > decompiled.cs
peframe specimen.exe

Step 8: Document Findings

Record: obfuscator type, .NET version, loading mechanism, payload hashes, C2 endpoints found in decompiled code, encryption keys/algorithms.

#dotnet #decompilation #deobfuscation #ilspy #de4dot #workflow

Reference in New Issue View Git Blame Copy Permalink