creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 13:44:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/reverse-engineering-dotnet-malware-with-dnspy/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

69 lines
2.5 KiB
Markdown
Raw Blame History

# API Reference: .NET Malware Reverse Engineering with dnSpy Agent
## Overview
Analyzes .NET malware: validates CLR headers, detects obfuscators (ConfuserEx, SmartAssembly), deobfuscates with de4dot, extracts strings/IOCs, and parses .NET metadata via monodis.
## Dependencies
| Package | Version | Purpose |
|---------|---------|---------|
| hashlib | stdlib | Sample hash computation |
| struct | stdlib | PE/CLR header parsing |
| re | stdlib | String pattern extraction |
## External Tools (Optional)
| Tool | Purpose |
|------|---------|
| diec (Detect It Easy) | Obfuscator identification |
| de4dot | Automated .NET deobfuscation |
| monodis | .NET assembly metadata extraction |
## Core Functions
### `detect_dotnet_assembly(filepath)`
Validates PE file has CLR header (COM descriptor directory entry).
- **Checks**: MZ signature, PE signature, optional header magic, CLR RVA
- **Returns**: `dict` with `is_dotnet`, `clr_header_rva`
### `detect_obfuscator(filepath)`
Runs Detect It Easy to identify ConfuserEx, SmartAssembly, .NET Reactor, Dotfuscator, Babel, Eazfuscator, Crypto Obfuscator.
- **Returns**: `dict` with `detected` list
### `deobfuscate_with_de4dot(filepath, output_path)`
Runs de4dot to remove obfuscation, producing a cleaner assembly.
- **Timeout**: 120 seconds
- **Returns**: `dict` with `success`, `output_path`
### `extract_strings(filepath, min_length)`
Extracts ASCII and Unicode strings, classifies into URLs, IPs, emails, registry keys, base64, and suspicious keywords (keylog, stealer, webhook, etc.).
- **Returns**: `dict[str, list[str]]` - categorized indicator lists
### `analyze_dotnet_metadata(filepath)`
Uses monodis to extract assembly info, type definitions, and method counts.
- **Returns**: `dict` with `type_count`, `method_count`, `types`
### `analyze_dotnet_malware(filepath, output_dir)`
Full pipeline: hashes -> .NET check -> obfuscator detection -> deobfuscation -> strings -> metadata.
## Obfuscators Detected
| Obfuscator | Indicator |
|------------|-----------|
| ConfuserEx | Most common open-source .NET obfuscator |
| SmartAssembly | Commercial obfuscator by Redgate |
| .NET Reactor | Code protection with native stub |
| Dotfuscator | Microsoft-provided obfuscator |
| Eazfuscator | Commercial string/flow obfuscation |
## Suspicious String Keywords
`keylog`, `screenshot`, `clipboard`, `password`, `credential`, `smtp`, `telegram`, `discord`, `webhook`, `stealer`, `inject`, `hook`, `persist`, `startup`
## Usage
```bash
python agent.py suspect.exe
```
Reference in New Issue View Git Blame Copy Permalink