Most of the C# malware will load the decrypted loader module in memory to avoid signature based detection. The In-Memory file loader can be done by using [System.Reflection] Assembly Class which will load the file (.dll etc.) bytes into it and invoke/call any function that found inside the loaded file.
Some good reading on C# .Net Assembly.
smethod_6 is a wrapper to the LateBinding.LateGet function which will invoke the function call (Means execution the function right away).
smethod_5 is wrapper to the GetObjectValue function to performs a shallow copy of the fields of the specified value type into the new object.
How do we continue to debug it then since it executes the function from the loaded file 🤔 ? Luckily there is a Modules view in dnSpy that we can utilize to look for the In-Memory loaded file.
Click on the CoreFunction and find for the method which loaded by the Assembly function and put a breakpoint on it then F5 again !!
Now you may proceed with the analysis dynamically.
There are more things to monitor in Debug -> Windows which will help in the analysis process.
Hope this article will be useful when analyzing the C# .Net Assembly malware.
