Our audition team is examining an ERP application (.net) from of a client. After examining the source code, we are examining vendor dlls too by deobfuscating then, and also examining the process while its running.
We found out an Assembly that is been loaded and executed in runtime. We cannot find anymore information about this assembly. We assume that this dll is loaded from bytes and attached to the appdomain. This bytes can be in one of the resources or from an IsolatedStorage. We really don't know how to grab this dll so we can try to decompile it.
Some info: - Using process explorer, we are able to discover several dll paths that are loaded from the application. List of .net assemblies and paths. But for this assembly, there is no path, only his assembly name.
There is any way to 'extract' this dll from memory and save it? What can we do to at least know more information about this assembly?
Thanks, Conan.
Run the obfuscated files through de4dot. Then open the cleaned ones up in dnspy. You will then see the deobfuscated source code much better.