Breaking Obfuscated .NET Malware with Profiler-Based Dynamic Binary Instrumentation

Name: Breaking Obfuscated .NET Malware with Profiler-Based Dynamic Binary Instrumentation
Duration: 61 min
Description: .NET malware is increasingly obfuscated with commodity protectors that embed runtime integrity checks—checks that detect and defeat the standard analyst trick of calling string decryption functions di

Lars Wallenborn, Steffen Haas, Tillmann Werner, Lindsay Kaye

REcon 2025 · Day 3 · Main Track

.NET malware is increasingly obfuscated with commodity protectors that embed runtime integrity checks—checks that detect and defeat the standard analyst trick of calling string decryption functions di

AI review

Four researchers weaponized the .NET Profiler API to bypass stack-checking obfuscation at scale — the architecture is clever, the demos deliver, and the tooling gap it fills is real.

Watch on YouTube