creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 13:44:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/reverse-engineering-dotnet-malware-with-dnspy/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

2.5 KiB
Raw Blame History

API Reference: .NET Malware Reverse Engineering with dnSpy Agent

Overview

Analyzes .NET malware: validates CLR headers, detects obfuscators (ConfuserEx, SmartAssembly), deobfuscates with de4dot, extracts strings/IOCs, and parses .NET metadata via monodis.

Dependencies

Package Version Purpose
hashlib stdlib Sample hash computation
struct stdlib PE/CLR header parsing
re stdlib String pattern extraction

External Tools (Optional)

Tool Purpose
diec (Detect It Easy) Obfuscator identification
de4dot Automated .NET deobfuscation
monodis .NET assembly metadata extraction

Core Functions

detect_dotnet_assembly(filepath)

Validates PE file has CLR header (COM descriptor directory entry).

  • Checks: MZ signature, PE signature, optional header magic, CLR RVA
  • Returns: dict with is_dotnet, clr_header_rva

detect_obfuscator(filepath)

Runs Detect It Easy to identify ConfuserEx, SmartAssembly, .NET Reactor, Dotfuscator, Babel, Eazfuscator, Crypto Obfuscator.

  • Returns: dict with detected list

deobfuscate_with_de4dot(filepath, output_path)

Runs de4dot to remove obfuscation, producing a cleaner assembly.

  • Timeout: 120 seconds
  • Returns: dict with success, output_path

extract_strings(filepath, min_length)

Extracts ASCII and Unicode strings, classifies into URLs, IPs, emails, registry keys, base64, and suspicious keywords (keylog, stealer, webhook, etc.).

  • Returns: dict[str, list[str]] - categorized indicator lists

analyze_dotnet_metadata(filepath)

Uses monodis to extract assembly info, type definitions, and method counts.

  • Returns: dict with type_count, method_count, types

analyze_dotnet_malware(filepath, output_dir)

Full pipeline: hashes -> .NET check -> obfuscator detection -> deobfuscation -> strings -> metadata.

Obfuscators Detected

Obfuscator Indicator
ConfuserEx Most common open-source .NET obfuscator
SmartAssembly Commercial obfuscator by Redgate
.NET Reactor Code protection with native stub
Dotfuscator Microsoft-provided obfuscator
Eazfuscator Commercial string/flow obfuscation

Suspicious String Keywords

keylog, screenshot, clipboard, password, credential, smtp, telegram, discord, webhook, stealer, inject, hook, persist, startup

Usage

python agent.py suspect.exe
Reference in New Issue View Git Blame Copy Permalink