reverse-engineering-dotnet-malware-with-dnspy

# Reverse Engineering .NET Malware with dnSpy ## When to Use - A malware sample is identified as a .NET assembly (C#, VB.NET, F#) requiring decompilation - Analyzing .NET-based malware families (AgentTesla, AsyncRAT, RedLine Stealer, Quasar RAT) - Deobfuscating .NET code protected by ConfuserEx, SmartAssembly, or custom obfuscators - Extracting hardcoded C2 configurations, encryption keys, and credentials from managed assemblies - Debugging .NET malware at runtime to observe decryption routines and dynamic behavior **Do not use** for native (unmanaged) PE binaries; use Ghidra or IDA for native code analysis. ## Prerequisites - dnSpy or dnSpyEx installed (https://github.com/dnSpyEx/dnSpy - community maintained fork) - de4dot for automated .NET deobfuscation (`https://github.com/de4dot/de4dot`) - ILSpy as an alternative decompiler for cross-validation - .NET SDK installed for recompiling modified assemblies during analysis - Isolated Windows VM for running dnSpy debugger on live malware - Detect It Easy (DIE) for identifying the .NET obfuscator used ## Workflow ### Step 1: Identify .NET Assembly and Obfuscator Verify the sample is a .NET binary and detect protection: ```bash # Check if file is .NET assembly file suspect.exe # Output should contain "PE32 executable" with .NET metadata # Detect obfuscator with Detect It Easy diec suspect.exe # Python-based .NET detection python3 << 'PYEOF' import pefile pe = pefile.PE("suspect.exe") # Check for .NET COM descriptor if...