[Mal Series #14] Debug C# In-Memory Loaded Module

Most of the C# malware will load the decrypted loader module in memory to avoid signature based detection. The In-Memory file loader can be done by using [System.Reflection] Assembly Class which will load the file (.dll etc.) bytes into it and invoke/call any function that found inside the loaded file.

Some good reading on C# .Net Assembly.

Overview for C# Assembly Loader in action of a certain malware
Using LateBinding.LateGet to execute the In-Memory function

smethod_6 is a wrapper to the LateBinding.LateGet function which will invoke the function call (Means execution the function right away).

smethod_5 is wrapper to the GetObjectValue function to performs a shallow copy of the fields of the specified value type into the new object.

How do we continue to debug it then since it executes the function from the loaded file 🤔 ? Luckily there is a Modules view in dnSpy that we can utilize to look for the In-Memory loaded file.

Menu -> Debug -> WIndows -> Modules

Click on the CoreFunction and find for the method which loaded by the Assembly function and put a breakpoint on it then F5 again !!

Now you may proceed with the analysis dynamically.

CoreFunctions (In-Memory file loaded)

There are more things to monitor in Debug -> Windows which will help in the analysis process.

Hope this article will be useful when analyzing the C# .Net Assembly malware.

--

--

--

Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Why do we trust Google more than the government?

KuCoin Community Chain Airdrop Event $500 worth of KCS

{UPDATE} Whale Trail Hack Free Resources Generator

How to Buy BNB on the Binance Smart Chain for DRIP Investing (Step 2 of 7)

{UPDATE} I Became a Dog 2 Hack Free Resources Generator

🕵️‍♂️‍ New Airdrop: Stake Coin DeFi (COIN)

5 Ways to Increase Home Security

BTC resistance at 45k & 52k | CRYPTO ADA AVVE KNC

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
GhouLSec

GhouLSec

Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec

More from Medium

Introduction to x64 Linux Binary Exploitation (Part 1)

Reading Windows Sticky Notes

Bad Logic App — C2 Simulation

Securing Containers with Seccomp: Part 1