2025-06-27 –, Grand Salon
As malware authors increasingly adopt .NET for its ease of development and stability, they rely on sophisticated obfuscation techniques to thwart analysis. Traditional static deobfuscation approaches often fail against modern protections that incorporate runtime integrity checks. This presentation introduces a framework that leverages .NET profilers to perform dynamic binary instrumentation at the MSIL level. We demonstrate how this approach can bypass dynamic checks in obfuscation schemes, extract encrypted strings, and trace execution flows—all without modifying the original binary. Through real-world case studies and live demonstrations, we show how this technique provides reverse engineers with a powerful new tool to analyze obfuscated .NET malware.
The rising prevalence of .NET malware presents unique challenges for security researchers. Because .NET binaries can be easily decompiled to source code, malware authors employ increasingly sophisticated obfuscation techniques to hinder analysis. Traditional deobfuscation approaches often struggle against modern protections that incorporate runtime integrity checks, anti-debugging measures, and environment detection.
Our presentation introduces a novel framework that leverages the .NET profiling API to perform dynamic binary instrumentation at the MSIL level. This approach allows analysts to observe and modify code execution at runtime, bypassing many common obfuscation techniques.
The talk will cover:
-
The .NET Obfuscation Challenge: We'll explore why .NET is increasingly popular among malware authors and how modern obfuscation techniques create asymmetric advantages for attackers.
-
Profiler-Based Instrumentation: We'll explain how .NET profilers work, how they can intercept relevant runtime events (JIT compilation, assembly loading, etc.), and why they're ideal for malware analysis.
-
Our Framework: We'll introduce our framework that allows analysts to write custom instrumenters purely in .NET, leveraging familiar libraries like dnlib while abstracting away the complexity of profiler development.
-
Technical Challenges: We'll discuss the problems we encountered and solved during development, including:
- Isolating instrumentation code from target code
- Handling profiler detection attempts
- Preventing deadlocks during instrumentation
- Managing thread synchronization -
Live Demonstrations: We'll showcase our framework's capabilities through several real-world scenarios:
- Bulk extraction of obfuscated strings from protected malware
- Bypassing license checks in popular obfuscators
- Generating comprehensive execution traces of obfuscated code
Attendees will leave with a deep understanding of .NET profiler-based instrumentation and practical knowledge they can immediately apply to their own malware analysis workflows.
I am a Mathematician. Computers where always close to my heart.
I graduated with a Diploma in Mathematics at the university of Bonn in 2013. My thesis proves an - at that time - novel upper bound for the decision problem of quadratic form equivalence in the field of Algebraic Complexity Theory.
Since high school, I am a self-employed developer and decided to joined a small web-development agency in Bonn after I finished graduation. In 2015, I joined the Cyber Threat Intelligence team at CrowdStrike as a full-time reverse engineer and software developer. There, we track both state-sponsored espionage actors as well as financially motivated groups carrying out criminal operations.
Tillmann Werner is a researcher at CrowdStrike, where his duties include the in-depth analysis of targeted attacks. He has a passion for proactive defense strategies, like honeypots and botnet takeovers. Werner is actively involved with the global computer security community and is a regular speaker on the international conference circuit.
Sebastian Walla is an expert for Cloud Threat Intelligence. He is the deputy manager of the Emerging Threats team (focusing on Cloud) and built the Cloud Threat Intelligence mission at CrowdStrike. Since 5 years Sebastian worked as a reverse engineer and has been focusing on cloud intrusions for 3 years.
Sebastian studied Cybersecurity, has a Masters in Computer Science, and published a paper on automatically identifying and exploiting tarpit vulnerabilities to fight malware. He further holds the GREM and GCLD certification and presented at Euro S&P 2019, Fal.Con 2023, fwd:cloudsec EU 2024, and BSides Bern 2024.