Reverse Engineering [Video] Hiding .NET IL code from DnSpy with R2R Stomping

struppigel

struppigel

Super Moderator
Thread author
Verified
Staff Member
Well-known
Forum Veteran
Apr 9, 2020
666
5,865
1,280
Germany


We create a .NET executable that hides code from decompilation and debugging with DnSpy by using a technique called R2R Stomping. Afterwards we explore how to analyse such samples and what effect it has on antivirus detection.

00:00 Introduction
00:43 What is R2R Stomping
02:13 Compiling an R2R binary
04:17 Stomping the code
07:50 Verify that it works - debugging .NET Core
10:00 How to recognize R2R binaries
12:14 Determine if a file is stomped
13:49 Compiling singlefile executables
14:35 Analysing singlefile executables
17:09 Implications on antivirus detections and analysis verdicts
 
  • +Reputation
  • Applause
  • Like
Reactions: silversurfer, simmerskool, Gandalf_The_Grey and 5 others
Further to the fantastic video, there is a nice article from Check Point as well on R2R stomping.

research.checkpoint.com

R2R stomping – are you ready to run? - Check Point Research

Research by: Jiri Vinopal Highlights Abstract What if we told you that the reality you perceive with your very own eyes is not always what it seems? That the .NET code you witness executing within your beloved managed debugger, such as dnSpy/dnSpyEx, may not necessarily be the same code that...
research.checkpoint.com research.checkpoint.com
 
  • Like
Reactions: silversurfer, struppigel, simmerskool and 2 others

You may also like...