Sebastian Walla
Sebastian Walla is an expert for Cloud Threat Intelligence. He is the deputy manager of the Emerging Threats team (focusing on Cloud) and built the Cloud Threat Intelligence mission at CrowdStrike. Since 5 years Sebastian worked as a reverse engineer and has been focusing on cloud intrusions for 3 years.
Sebastian studied Cybersecurity, has a Masters in Computer Science, and published a paper on automatically identifying and exploiting tarpit vulnerabilities to fight malware. He further holds the GREM and GCLD certification and presented at Euro S&P 2019, Fal.Con 2023, fwd:cloudsec EU 2024, and BSides Bern 2024.
Session
As malware authors increasingly adopt .NET for its ease of development and stability, they rely on sophisticated obfuscation techniques to thwart analysis. Traditional static deobfuscation approaches often fail against modern protections that incorporate runtime integrity checks. This presentation introduces a framework that leverages .NET profilers to perform dynamic binary instrumentation at the MSIL level. We demonstrate how this approach can bypass dynamic checks in obfuscation schemes, extract encrypted strings, and trace execution flows—all without modifying the original binary. Through real-world case studies and live demonstrations, we show how this technique provides reverse engineers with a powerful new tool to analyze obfuscated .NET malware.