The main() method in .NET applications is considered as the entry point. But it is not the first thing being executed, which is purposefully used to deter reverse engineers. We write Intermediate Language assembly code to find out what is actually executed before main() in a .NET assembly. Malware Analysis Course: www.udemy.com/course/windows-... Washis article: blog.washi.dev/posts/entry-po... Follow me on Twitter: twitter.com/struppigel
Thank you! I recommend the book ".NET IL Assembler". You can also use the specification but the book is easier to grasp: www.ecma-international.org/publications-and-standards/standards/ecma-335/ Karsten
Hi. Yes you will need to bypass it. It helps to learn various anti-debug techniques and understand how they work. Encrypted code is usually there because the sample is packed. You'll need to unpack it. The anti-debug can be in both, the unpacking stub of the packed sample, or the payload after unpacking. So it depends what you need to do first. But often you can unpack without using a debugger at all. For .NET samples I recommend MegaDumper. Just run the sample and then dump it with MegaDumper. Works most of the time. For native samples you can use Hasherezade's mal_unpack.
Hi. This is not tied to a malware family, but rather to usage of ConfuserEx and similar protectors which apply those modifications automatically. In ConfuserEx it is the "AntiTamper" that does this: github.com/yck1509/ConfuserEx/wiki/Anti-Tamper-Protection
The main() method in .NET applications is considered as the entry point. But it is not the first thing being executed, which is purposefully used to deter reverse engineers. We write Intermediate Language assembly code to find out what is actually executed before main() in a .NET assembly.
Malware Analysis Course: www.udemy.com/course/windows-...
Washis article: blog.washi.dev/posts/entry-po...
Follow me on Twitter: twitter.com/struppigel
Good! Thank you very much.
excellent video, thank you very much. where can I find documents that about IL language instructions?
Thank you!
I recommend the book ".NET IL Assembler".
You can also use the specification but the book is easier to grasp: www.ecma-international.org/publications-and-standards/standards/ecma-335/
Karsten
@@MalwareAnalysisForHedgehogs thanks 🤝
Can we store the decrypted sample to disk with dnspy?
Yes, go to File -> Save Module
But if someone add anti debug how i can debug the exe, or i need to bypass the anti debug first ? and how do that if the code is encryption?
Hi. Yes you will need to bypass it. It helps to learn various anti-debug techniques and understand how they work.
Encrypted code is usually there because the sample is packed. You'll need to unpack it.
The anti-debug can be in both, the unpacking stub of the packed sample, or the payload after unpacking. So it depends what you need to do first.
But often you can unpack without using a debugger at all. For .NET samples I recommend MegaDumper. Just run the sample and then dump it with MegaDumper. Works most of the time.
For native samples you can use Hasherezade's mal_unpack.
Do you have any malware names in mind that use this technique?
Hi. This is not tied to a malware family, but rather to usage of ConfuserEx and similar protectors which apply those modifications automatically.
In ConfuserEx it is the "AntiTamper" that does this: github.com/yck1509/ConfuserEx/wiki/Anti-Tamper-Protection