Unpack your troubles*: .NET packer tricks and countermeasures (sponsor presentation)

Wednesday 30 September 17:00 - 17:30, Green room

Marcin Hartung (ESET)

  download slides (PDF)

Nowadays, .NET samples are increasingly common, necessitating specialized techniques for processing and analysis, especially when obfuscation is used: .NET packers have many tricks up their sleeves, but fortunately we do too.

A skilled researcher can often glance inside 'good old-fashioned' native executables and see what they do despite protection with strong packers. However, .NET files are different.

Analysing clean .NET files with dedicated tools shows us almost everything, but if the file is obfuscated we sometimes see nothing at all. In .NET analysis we face one main obstacle — complex runtime technology which introduces some level of abstraction and therefore makes debugging harder.

This paper combines analysis of methods collected from various sources with techniques originating with the author's own experience, in order to improve sample management. It describes simple tricks for getting strings after packer decryption or logging APIs used as well as some more sophisticated examples.

All the problems addressed relate to real cases often encountered in the context of commercial packers or of custom protectors used by malware.

Such tricks can be used for single analyses for adding breakpoints in locations of interest or as building blocks for constructing a powerful tool for analysing .NET samples.


Click here for more details about the conference.

Marcin Hartung

Marcin Hartung

Marcin Hartung is a programmer in the Software Protectors Analysis & Unpacking Team at ESET. He has been working with packers for a few years, focusing on .NET recently. A couple of years ago he was working at the university in the electronics & telecommunications area, during which time he co-authored a few papers. He also delivered some lectures on security at the university associated with ESET.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.