Mastering .NET Reverse Engineering with dnSpy: A Security Professional's Guide
Reverse Engineering Malicious Binaries Step 1: Initial Triage Load suspect .dll/.exe into dnSpy Use Assembly Explorer to identify: Suspicious imports (e.g., System.IO.Compression for packed payloads) Obfuscation markers (ConfuserEx, Eazfuscator strings) Embedded resources (malicious scripts) Step 2: Deobfuscation Workflow // Before deobfuscation public string Decode(string input) { return Encoding.UTF8.GetString(Convert.FromBase64String(input).Reverse().ToArray()); } // After using dnSpy's "Simplify" feature: public string Decode(string input) => "FLARE-ON_2023"; // Revealed C2 domain Techniques: Right-click → Analyze to detect crypto routines Ctrl+Shift+R to rename obfuscated variables Export decrypted resources via Save Code Debugging for Vulnerability Research Exploiting Logic Flaws Set breakpoints at authentication methods Modify return values in Debug > Windows > Immediate: // Change authentication result ? isAdmin = true // Bypasses access checks Trace insecure deserialization paths (e.g., BinaryFormatter usage) Extracting Secrets Use Memory Window during execution to: Dump RSA private keys from CSP containers Capture DPAPI-protected credentials Extract hardcoded API tokens Binary Patching for Exploit Development Scenario: Craft PoC for license check bypass ...