{"id":6976,"date":"2024-02-12T09:13:59","date_gmt":"2024-02-12T09:13:59","guid":{"rendered":"\/cybersecurity-blog\/?p=6976"},"modified":"2024-02-12T09:37:45","modified_gmt":"2024-02-12T09:37:45","slug":"net-malware-obfuscators-analysis-part-one","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/net-malware-obfuscators-analysis-part-one\/","title":{"rendered":"A deep dive into .NET malware obfuscators:
Part 1"},"content":{"rendered":"\n

As a preface <\/h2>\n\n\n\n

In the modern world, it is rare to encounter purely clean malware during analysis. Malware code is commonly modified to hinder researchers from analyzing and decompiling it. <\/p>\n\n\n\n

Software that alters code to hinder analysis is known as obfuscators<\/strong>. Some are designed to mutate machine code, targeting malware primarily developed using C\/Asm\/Rust, while others modify IL (Intermediate Language) code generated by .NET compilers. <\/p>\n\n\n\n

This series of articles will delve into modern techniques employed by obfuscators like .NET Reactor <\/strong>and SmartAssembly<\/strong>, which are widely favored by malware creators. We will acquaint ourselves with deobfuscation methods and attempt to either develop our own deobfuscators or adapt existing ones. We will also explore tools designed to counter them if any. <\/p>\n\n\n\n

Our goal is to make the content as accessible as possible, ensuring that even beginners with a basic understanding of .NET can grasp the concepts. However, a foundational knowledge of malware analysis tools and concepts is expected. Prior experience in analyzing obfuscated code will be an added advantage. <\/p>\n\n\n\n

Are you ready to embark on this journey? Let\u2019s begin. <\/p>\n\n\n\n

Introduction <\/h2>\n\n\n\n

To truly understand obfuscators, we should think like the people who make them. It’s a bit like the red\/blue-team in cybersecurity: to defend well, you must understand the offense. So, let\u2019s try our hand at building a simple obfuscator<\/em>. <\/p>\n\n\n\n

Simple obfuscator <\/h2>\n\n\n\n

What should it look like? <\/h3>\n\n\n\n

First of all, let’s look at the program<\/a> we will be experimenting with:<\/p>\n\n\n

\n
\"\"
Source code of the \u201cExample1\u201d<\/strong> <\/figcaption><\/figure><\/div>\n\n\n

Yep, there are a few lines of code, one variable and it has the only function \u201cProtectMe\u201d which prints \u201cNo_On3_Can_Find_My_S3cr37_Pass\u201d. So simple, isn\u2019t it? <\/p>\n\n\n\n

Take a look at the decompiled code in the .NET debugger \u201cDnSpy<\/a>\u201d:<\/p>\n\n\n

\n
\"\"
Decompiled code of the \u201cExample1\u201d in DnSpy <\/strong><\/figcaption><\/figure><\/div>\n\n\n

It’s clear that anyone can easily find the password by opening the compiled program in the appropriate tool, without much effort. So, how to protect our password<\/em>? <\/p>\n\n\n\n

Here are some strategies we will use to enhance protection of our secret: <\/p>\n\n\n\n