Tillmann Werner
Tillmann Werner is a researcher at CrowdStrike, where his duties include the in-depth analysis of targeted attacks. He has a passion for proactive defense strategies, like honeypots and botnet takeovers. Werner is actively involved with the global computer security community and is a regular speaker on the international conference circuit.
Session
As malware authors increasingly adopt .NET for its ease of development and stability, they rely on sophisticated obfuscation techniques to thwart analysis. Traditional static deobfuscation approaches often fail against modern protections that incorporate runtime integrity checks. This presentation introduces a framework that leverages .NET profilers to perform dynamic binary instrumentation at the MSIL level. We demonstrate how this approach can bypass dynamic checks in obfuscation schemes, extract encrypted strings, and trace execution flows—all without modifying the original binary. Through real-world case studies and live demonstrations, we show how this technique provides reverse engineers with a powerful new tool to analyze obfuscated .NET malware.