Menu
Semantics, Cybersecurity & Services (SCS)
Semantics, Cybersecurity & Services (SCS)
UTFacultiesEEMCSDisciplines & departmentsSCSResearchRunning ProjectsAutomated Analysis and Reversing of .NET Malware

Automated Analysis and Reversing of .NET Malware

Automated Analysis and Reversing of .NET Malware

Period: February 2026 - December 2026

Contact:

Picture of dr.ir. A. Continella (Andrea)
dr.ir. A. Continella (Andrea) Associate Professor
+31534892752
 a.continella@utwente.nl
Building: Zilverling 2023
Personal page
Picture of J.A.L. Starink MSc (Jerre)
J.A.L. Starink MSc (Jerre) PhD Candidate
+31534899236
 j.a.l.starink@utwente.nl
Building: Zilverling 2042
Personal page

Partners: Hex-Rays


Description:
Malware developers continuously search new ways to distribute malware while evading analysis. One method that has seen recent popularity is to write malware for the .NET platform. A program written for .NET traditionally compiles to Common Intermediate Language (CIL) code, which is interpreted by the runtime and translated on-the-fly into native machine code before execution. Similar to the Java Virtual Machine (JVM), a single compilation of a .NET program allows for running it across multiple architectures. This high portability makes .NET an attractive option to maximize the coverage of potential victims.

Traditionally, for defenders, analyzing a CIL binary has been quite successful. Since the runtime forces .NET binaries to retain a lot of rich metadata and requires a strict code structure, reverse engineering a CIL binary (e.g., by decompilation) is much more straightforward than analyzing normal, native executable files. Even when obfuscation is applied, it is often much easier to get a binary to a state where the code is readable enough to be able to deduce (malicious) intent.

With the release of .NET 7.0 in 2022, Microsoft introduced Native Ahead-of-Time (NativeAOT) compilation, which produces standalone, native binaries that can run without a runtime present on the disk. Traditionally, this was introduced to improve startup times of .NET binaries (i.e., not needing a JIT translation on every execution). However, a side effect is that it also renders all state-of-the-art .NET binary analysis tooling virtually useless. Not only does it significantly increase the volume of code to analyze, it also completely strips all CIL code and its metadata, which the state-of-the-art heavily relies on. This gives threat actors a huge advantage as it can act as a very effective first-class obfuscation feature requiring very little effort to apply.

NativeAOT binaries must preserve all the rules that the original runtime put on the execution of the program. This includes features like Reflection, objects and virtual dispatch, stack-traces and runtime type-checks must be enforced as well, even if the metadata is not physically present in its original form. It follows that this type of data must be encoded in NativeAOT binaries in some capacity, which may therefore be recoverable. This research aims to develop program analysis techniques to restore type hierarchies and recover a broader set of runtime semantics, enabling NativeAOT reverse engineering and allowing analysis tools to catch up with adversaries using this technology.

Close
Suggestions