We create a .NET executable that hides code from decompilation and debugging with DnSpy by using a technique called R2R Stomping. Afterwards we explore how to analyse such samples and what effect it has on antivirus detection. Malware course: www.udemy.com/course/windows-... Checkpoint article: research.checkpoint.com/2023/... Twitter: twitter.com/struppigel
Thank you. Yes, there are, albeit not that impressive. E.g. encrypting the code and decrypting the code in .cctor (see the video before that one about what executes before main)
We create a .NET executable that hides code from decompilation and debugging with DnSpy by using a technique called R2R Stomping. Afterwards we explore how to analyse such samples and what effect it has on antivirus detection.
Malware course: www.udemy.com/course/windows-...
Checkpoint article: research.checkpoint.com/2023/...
Twitter: twitter.com/struppigel
Will work on this tonight thanks for the demo
Exellent, thank you, very informative, subscribed.
A few years ago Didier Stevens wrote about "VBA Stomping", the concept is similar to your video
Thank you for the great video. Are there other .NET techniques that hides the code from DnSpy?
Thank you.
Yes, there are, albeit not that impressive. E.g. encrypting the code and decrypting the code in .cctor (see the video before that one about what executes before main)
nice video, edit and background
one plus to making the binary bigger, might be too large to be analyzed by dynamic scanners
Is there way modifying the prioritisation of the execution of native vs. IL code?
Hi. I am not sure I understand your question. Why and when would you modify it?
@@MalwareAnalysisForHedgehogs Just to check the vulnerability of stomping, e.g. bypassing the native code run to the favour of the IL code, etc.
@@ledlou2177 I am not aware of a way to do that.
ILONLY used to be cool