When performing malware analysis, you will have to deal with analyzing a wide variety of code. You are likely to encounter malware created using Microsoft Visual C/C++, Delphi, and the .NET framework. In this section, we will take a brief look at a tool called dnSpy (https://github.com/0xd4d/dnSpy), which makes analyzing .NET binaries much easier. It is quite effective when it comes to decompiling and debugging a .NET application. To load a .NET application, you can drag and drop the application into dnSpy, or launch dnSpy and select File
| Open
, giving it the path to the binary. Once the .NET application has loaded, dnSpy decompiles the application, and you can access the program's methods and classes in the left-hand window, named Assembly explorer
. The following screenshot shows the main
function of the decompiled .NET malicious binary (named SQLite.exe
):
Once the binary has decompiled, you can either read the code (static code analysis) to determine the...