Last-minute paper: .NET malware dynamic instrumentation for automated and manual analysis

Thursday 25 September 14:00 - 14:30, Green room.

Hexiang Hu Microsoft
Steven Zhou Microsoft
Geoff McDonald Microsoft

  download slides (PDF)

Microsoft .NET Framework-built applications compile into a Common Intermediate Language (CIL), formerly known as Microsoft Intermediate Language (MSIL). When executed, this intermediate language is run by either a virtual machine, or through just-in-time compilation (JIT) to compile into native code at runtime. This approach provides many advantages to developers, such as a single binary being able to execute on multiple platforms and CPU architectures, but has been proving a technical challenge for anti-malware software and researchers since many traditional analysis tools no longer apply.

Recently, we've been wrestling with more malware families that are developed using the .NET framework. These malware families are often using a variety of custom and commercial .NET packers that obfuscate and pack the code, resulting in code analysis for anti-malware researchers becoming more difficult.

To solve this problem, this presentation introduces a .NET malware research tool to assist in automated and researcher analysis of .NET malware. This tool performs dynamic instrumentation of .NET malware to analyse the functions that are called, as well as the corresponding CIL code to be compiled. This presentation will cover the following topics:

  • ICorProfilerCallback & ICorProfilerInfo interface introduction
  • Project architecture and infrastructure
  • Backdoor:MSIL/Bladabindi case study
  • Future of usage in machine-learning-based detection

Hexiang Hu

Hexiang Hu

Hexiang Hu is a computer science student from Zhejiang University and recently transferred to Simon Fraser University. He worked at Microsoft Malware Protection Center as an anti-virus researcher intern in the summer. He is interested in and passionate about machine learning, reverse engineering and malware research.


Steven Zhou

Steven Zhou

Steven Zhou is an anti-virus researcher with Microsoft Malware Protection Center out of Vancouver, Canada. He has been working in the IT security field for more than 10 years, and has a particular interest in fighting MSIL-based malware. In his spare time, he loves hiking and spending time with his family.

Geoff McDonald

Geoff McDonald

Geoff is an anti-virus researcher working in the Microsoft Malware Protection Center with most of his experience in reverse engineering malware and related vulnerabilities. As a hobby, Geoff can often be found developing reverse-engineering and vulnerability fuzzing tools - some of which can be found on his personal website


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.