What is the best tool for .NET deobfuscation?

De4dot is the industry-standard tool for automated .NET deobfuscation and is heavily featured in this skill's workflow.

How do I extract encrypted strings from .NET malware?

This skill demonstrates how to use the dnSpy debugger to set breakpoints on decryption methods, allowing you to capture the plain-text results in the Locals window.

Is it safe to debug malware using these steps?

You should only perform these actions within a dedicated, isolated Windows Virtual Machine (VM) with network isolation to prevent accidental infection or C2 communication.

Can I use this skill for native C++ binaries?

No, this skill is specifically optimized for managed .NET assemblies. For native binaries, tools like Ghidra or IDA Pro are recommended.

.NET Malware Analysis with dnSpy

Name: .NET Malware Analysis with dnSpy
Author: mukul975

bymukul975

•

4,121

•

安全与测试

Analyzes .NET-based malware using dnSpy to decompile source code, remove obfuscation, and extract command-and-control configurations.

This skill provides expert guidance for security researchers and malware analysts to disassemble and debug managed .NET assemblies. It guides users through identifying obfuscators like ConfuserEx, using de4dot for automated cleaning, and leveraging dnSpy for source-level debugging. By following these workflows, analysts can efficiently extract hardcoded C2 configurations, retrieve encryption keys, and understand malicious behaviors in common malware families such as AgentTesla, AsyncRAT, and RedLine Stealer.

主要功能

01Extracts hardcoded C2 configurations, keys, and credentials

024,121 GitHub stars

03Identifies malicious capabilities like keylogging and credential theft

04Decompiles C# and VB.NET malware into human-readable source code

05Provides structured workflows for runtime debugging in isolated environments

06Automates deobfuscation for protectors like ConfuserEx and SmartAssembly

使用场景

01Extracting Indicators of Compromise (IOCs) from obfuscated managed assemblies

02Analyzing a suspected .NET stealer to identify data exfiltration points

03Debugging decryption routines to reveal hidden embedded payloads

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add mukul975/anthropic-cybersecurity-skills reverse-engineering-dotnet-malware-with-dnspy

For use in Claude.ai and ChatGPT

主要功能

01Extracts hardcoded C2 configurations, keys, and credentials

024,121 GitHub stars

03Identifies malicious capabilities like keylogging and credential theft

04Decompiles C# and VB.NET malware into human-readable source code

05Provides structured workflows for runtime debugging in isolated environments

06Automates deobfuscation for protectors like ConfuserEx and SmartAssembly

使用场景

01Extracting Indicators of Compromise (IOCs) from obfuscated managed assemblies

02Analyzing a suspected .NET stealer to identify data exfiltration points

03Debugging decryption routines to reveal hidden embedded payloads

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add mukul975/anthropic-cybersecurity-skills reverse-engineering-dotnet-malware-with-dnspy

For use in Claude.ai and ChatGPT