Reverse Engineering Malicious Binaries
Step 1: Initial Triage
- Load suspect .dll/.exe into dnSpy
- Use
Assembly Explorerto identify:- Suspicious imports (e.g.,
System.IO.Compressionfor packed payloads) - Obfuscation markers (ConfuserEx, Eazfuscator strings)
- Embedded resources (malicious scripts)
- Suspicious imports (e.g.,
Step 2: Deobfuscation Workflow
// Before deobfuscation
public string Decode(string input)
{
return Encoding.UTF8.GetString(Convert.FromBase64String(input).Reverse().ToArray());
}
// After using dnSpy's "Simplify" feature:
public string Decode(string input) => "FLARE-ON_2023"; // Revealed C2 domain
Techniques:
- Right-click →
Analyzeto detect crypto routines Ctrl+Shift+Rto rename obfuscated variables- Export decrypted resources via
Save Code
Debugging for Vulnerability Research
Exploiting Logic Flaws
- Set breakpoints at authentication methods
- Modify return values in Debug > Windows > Immediate:
// Change authentication result ? isAdmin = true // Bypasses access checks - Trace insecure deserialization paths (e.g.,
BinaryFormatterusage)
Extracting Secrets
- Use Memory Window during execution to:
- Dump RSA private keys from CSP containers
- Capture DPAPI-protected credentials
- Extract hardcoded API tokens
Binary Patching for Exploit Development
Scenario: Craft PoC for license check bypass
// Original IL (strict validation)
IL_0020: callvirt instance bool Validator::CheckLicense()
// Modified IL (always return true)
IL_0020: ldc.i4.1 // Load constant "1" (true)
IL_0021: ret
Right-click → Edit IL Instructions → Save Module
Security Impact:
- Demonstrates privilege escalation risks
- Generates weaponized exploit for penetration tests
Advanced Threat Analysis Techniques
1. Deobfuscation Automation
Integrate de4dot directly in dnSpy:
// Edit dnSpy.Console.exe.config:
<de4dot>
<detector name="ConfuserEx" pattern="0f 45 ?? 00" />
</de4dot>
2. API Hooking
Intercept calls via Debug → Windows → Modules:
- Set breakpoint at
kernel32!CreateProcessW - Inspect
lpCommandLinefor injection indicators
3. .NET Core Memory Forensics
- Debug ASP.NET Core apps with dnSpyEx
- Dump environment variables exposing cloud secrets
Ethical & Legal Boundaries
| Permitted Activities | Prohibited Activities |
|---|---|
| Malware analysis (defensive research) | Circumventing DRM on commercial software |
| Vulnerability research (coordinated disclosure) | Weaponizing exploits for unauthorized access |
| Incident response forensics | Reverse engineering without ownership/license |
🔒 Compliance Note: Under DMCA §1201(f), reverse engineering for interoperability or security research is explicitly permitted in the US. Similar provisions exist in EU’s TSD Directive.
FAQs for Security Practitioners
Q: How to analyze .NET malware that detects debuggers?
A: Use dnSpy’s Start without Debugging → attach later via PID. Patch anti-debug checks by NOP-ing
IsDebuggerPresentcalls.
Q: Can dnSpy handle .NET Reactor-protected binaries?
A: Partially - use
AsmResolverplugin to dump dynamic methods. Combine with PE-sieve for full unpacking.
Q: Best practices for reporting vulnerabilities?
A: 1. Validate findings in dnSpy 2. Create minimal PoC 3. Follow CERT/ISO 29147 disclosure guidelines.
Tool Comparison for Security Tasks
| Feature | dnSpy | ILSpy | Ghidra |
|---|---|---|---|
| .NET Debugging | ✅ | ❌ | ⚠️ |
| Live Memory Inspection | ✅ | ❌ | ❌ |
| Anti-anti-debug | ✅ | ❌ | ⚠️ |
| IL Editing | ✅ | ❌ | ❌ |
| Scriptable Analysis | ⚠️ | ❌ | ✅ |
Conclusion
dnSpy transforms .NET security research by enabling:
- Offensive Security: Exploit development & vulnerability validation
- Defensive Operations: Malware deobfuscation & incident analysis
- Compliance: Secure code audits for DevSecOps pipelines