Recon 2025

Lars Wallenborn

I am a Mathematician. Computers where always close to my heart.

I graduated with a Diploma in Mathematics at the university of Bonn in 2013. My thesis proves an - at that time - novel upper bound for the decision problem of quadratic form equivalence in the field of Algebraic Complexity Theory.

Since high school, I am a self-employed developer and decided to joined a small web-development agency in Bonn after I finished graduation. In 2015, I joined the Cyber Threat Intelligence team at CrowdStrike as a full-time reverse engineer and software developer. There, we track both state-sponsored espionage actors as well as financially motivated groups carrying out criminal operations.


Session

06-27
10:30
60min
Breaking Obfuscated .NET Malware with Profiler-Based Dynamic Binary Instrumentation
Lars Wallenborn, Tillmann Werner, Sebastian Walla, Steffen Haas

As malware authors increasingly adopt .NET for its ease of development and stability, they rely on sophisticated obfuscation techniques to thwart analysis. Traditional static deobfuscation approaches often fail against modern protections that incorporate runtime integrity checks. This presentation introduces a framework that leverages .NET profilers to perform dynamic binary instrumentation at the MSIL level. We demonstrate how this approach can bypass dynamic checks in obfuscation schemes, extract encrypted strings, and trace execution flows—all without modifying the original binary. Through real-world case studies and live demonstrations, we show how this technique provides reverse engineers with a powerful new tool to analyze obfuscated .NET malware.

Grand Salon