This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

.NET Obfuscation

Revision as of 16:59, 31 July 2018 by Gtorok (talk | contribs) (Created complementary page for .NET (IL) vs. Java (Bytecode) Obfuscation)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

What is .NET?

.NET is a free, cross-platform, open source developer platform for building many different types of applications. With .NET, you can use multiple languages, editors, and libraries to build for web, mobile, desktop, gaming, and IoT.

What are .NET Assemblies?

A .NET project generates assemblies (usual executables) that contains Intermediate Language (IL) instructions, managed resources and metadata describing the types, methods, properties, fields and events. The metadata and IL instructions maintain high-level information about your code including its structure and class, field, method, property and parameter names. This makes it possible to understand the assembly structure and the method instructions in order to easily decompile the assembly back to high-level source code.

Why might I want to obfuscate .NET Assemblies / Executables?

An attacker could easily reverse engineer and/or debug a .NET program to understand how it was implemented, which would allow them to easily copy the functionality, or manipulate / steal sensitive information or algorithms. Obfuscating the application before releasing it modifies the executable so that it is difficult to reverse engineer or probe by a hacker. While obfuscation may change metadata or the actual method instructions, it does not alter the logic flow or the output of the program.

What are some techniques used by an Obfuscator?

  • Renaming to alter the name of methods and variables to make the decompiled source much harder for a human to understand. The new names can follow different schemes like "a", "b", "c", or numbers, characters from non-Latin scripts, unprintable characters or invisible characters. Names may be used multiple times in a scope by using method overloading. Name obfuscation is the most basic technique that is used by every .NET obfuscator solution. Microsoft’s Visual Studio includes a basic .NET Obfuscator by default which performs renaming.
  • Control Flow Obfuscationcreates conditional, branching, and iterative constructs that produce valid executable logic, but yield non-deterministic semantic results when decompiled.
  • String Encryption hides strings in the executable and only restores their original value when needed. Since the string data must be restored automatically at runtime, a hacker could execute the application in a debugger to capture the string values.
  • Instruction Pattern Transformation converts common instructions to other, less obvious constructs potential confusing decompliers.
  • Dummy Code Insertion inserts code that does not affect the program’s logic, but breaks decompilers or makes reverse-engineered code harder to analyze.
  • Unused Code and Metadata Removal prunes out debug, non-essential metadata and used code from applications to reduce the information available to an attacker.

Attack Detection Technologies

While technically not obfuscation, App Hardening and Shielding tools typically have the ability to detect and respond to potential attacks on application code including tamper detection, debug detection, and jailbroken device detection making it harder for attackers to steal IP or gain access to sensitive data used by the application.

Further Reading