Skip to content

Latest commit

 

History

History
19 lines (13 loc) · 1.04 KB

README.md

File metadata and controls

19 lines (13 loc) · 1.04 KB

.NET Malware Unpacker (WIP)

.NET Malware Unpacker is a custom launcher that dynamically unpacks .NET malware.

Warning: This project is still work in progress and should not be used outside of a sandbox due to its dynamic nature (runs malware to unpack it).

Methadology

A typical malware evades controls and obfuscates its payload by embedding it in dlls (Assembly). In .NET to load a dll, Assembly.Load() function is used. .NET Malware Unpacker launches malware in its application domain, it subscribes to AssemblyLoaded events and saves the loaded assembly to a file. This design allows both inspecting the payload and the Assemblies that unpacks it. Also To test the application safely I created a dll that loads another dll (embedded).

Motivation

I wanted to automate malware analysis steps. Unpacking is time consuming process and automating it would save time for focusing on the payload. I believe the assemblies in between are also worth investigating to learn how the malware evaded controls. Dumping every assembly is a way to achieve both.