Deobfuscate .net Application. Missing Assembly/DLL loaded at runtime

Question

Our audition team is examining an ERP application (.net) from of a client. After examining the source code, we are examining vendor dlls too by deobfuscating then, and also examining the process while its running.

We found out an Assembly that is been loaded and executed in runtime. We cannot find anymore information about this assembly. We assume that this dll is loaded from bytes and attached to the appdomain. This bytes can be in one of the resources or from an IsolatedStorage. We really don't know how to grab this dll so we can try to decompile it.

Some info: - Using process explorer, we are able to discover several dll paths that are loaded from the application. List of .net assemblies and paths. But for this assembly, there is no path, only his assembly name.

There is any way to 'extract' this dll from memory and save it? What can we do to at least know more information about this assembly?

Thanks, Conan.

Answer 1

Run the obfuscated files through de4dot. Then open the cleaned ones up in dnspy. You will then see the deobfuscated source code much better.

Answer 2

There is a tool on the internet called Megadumper by Code Cracker...it is a memory dumping tool. You simply run the program and in Mega Dumper right click on the process and select .net dump. All the files the process is using will be dumped from memory in a dumps folder where the process was started. Just make sure to run Mega Dumper as an Administrator.