.NET Malware Unpacker is a custom launcher that dynamically unpacks .NET malware.
Warning: This project is still work in progress and should not be used outside of a sandbox due to its dynamic nature (runs malware to unpack it).
A typical malware evades controls and obfuscates its payload by embedding it in dlls (Assembly). In .NET to load a dll, Assembly.Load() function is used. .NET Malware Unpacker launches malware in its application domain, it subscribes to AssemblyLoaded events and saves the loaded assembly to a file. This design allows both inspecting the payload and the Assemblies that unpacks it. Also To test the application safely I created a dll that loads another dll (embedded).
I wanted to automate malware analysis steps. Unpacking is time consuming process and automating it would save time for focusing on the payload. I believe the assemblies in between are also worth investigating to learn how the malware evaded controls. Dumping every assembly is a way to achieve both.