Hiding .NET IL code from DnSpy with R2R Stomping

Поділитися
Вставка
  • Опубліковано 9 лис 2024

КОМЕНТАРІ • 14

  • @MalwareAnalysisForHedgehogs
    @MalwareAnalysisForHedgehogs  Рік тому +1

    We create a .NET executable that hides code from decompilation and debugging with DnSpy by using a technique called R2R Stomping. Afterwards we explore how to analyse such samples and what effect it has on antivirus detection.
    Malware course: www.udemy.com/course/windows-...
    Checkpoint article: research.checkpoint.com/2023/...
    Twitter: twitter.com/struppigel

  • @npawan888
    @npawan888 Рік тому

    Will work on this tonight thanks for the demo

  • @tacrom
    @tacrom Рік тому

    Exellent, thank you, very informative, subscribed.

  • @donaldduck6198
    @donaldduck6198 Рік тому

    A few years ago Didier Stevens wrote about "VBA Stomping", the concept is similar to your video

  • @una-az
    @una-az Рік тому

    Thank you for the great video. Are there other .NET techniques that hides the code from DnSpy?

    • @MalwareAnalysisForHedgehogs
      @MalwareAnalysisForHedgehogs  Рік тому

      Thank you.
      Yes, there are, albeit not that impressive. E.g. encrypting the code and decrypting the code in .cctor (see the video before that one about what executes before main)

  • @Options_99
    @Options_99 Рік тому

    nice video, edit and background

  • @user-xg8sd9fl3e
    @user-xg8sd9fl3e Рік тому

    one plus to making the binary bigger, might be too large to be analyzed by dynamic scanners

  • @ledlou2177
    @ledlou2177 6 місяців тому

    Is there way modifying the prioritisation of the execution of native vs. IL code?

    • @MalwareAnalysisForHedgehogs
      @MalwareAnalysisForHedgehogs  6 місяців тому

      Hi. I am not sure I understand your question. Why and when would you modify it?

    • @ledlou2177
      @ledlou2177 6 місяців тому

      @@MalwareAnalysisForHedgehogs Just to check the vulnerability of stomping, e.g. bypassing the native code run to the favour of the IL code, etc.

    • @MalwareAnalysisForHedgehogs
      @MalwareAnalysisForHedgehogs  6 місяців тому

      @@ledlou2177 I am not aware of a way to do that.

  • @_zproxy
    @_zproxy Рік тому

    ILONLY used to be cool