TransWikia.com

Disassemble and debug dynamic generated code executed via delegate in c#

Reverse Engineering Asked by n0t0r1us on May 19, 2021

I’m trying to reverse engeneer a malware using dnSpy that at some point do this:

delegate IntPtr H7IREAEBYY(string path, IntPtr data);
byte[] array = new byte[]
        { 233, 151, ... }

IntPtr value = IntPtr.Zero;
IntPtr intPtr = W47PO0IHP8.VirtualAlloc(IntPtr.Zero, (uint)array.Length, 12288U, 64U);
Marshal.Copy(array, 0, intPtr, array.Length);
        W47PO0IHP8.H7IREAEBYY h7IREAEBYY = (W47PO0IHP8.H7IREAEBYY)Marshal.GetDelegateForFunctionPointer(intPtr, typeof(W47PO0IHP8.H7IREAEBYY));
h7IREAEBYY(path, intPtr2);  

When the delegate is executed the debugger step over the delegate and i can’t analyze such code, how can i analyze or disassemble the code in the array that is executed through a delegate?

One Answer

You cannot do that with dnSpy, as the code that is stored in array is not managed code but native. So you have to extract that bytes, saved them in a file and analyze spearately with a native disassembler like r2, Ghidra, IDA etc.

As for stepping into, it's the same. You have to use a native debugger and not the one from dnSpy.

Since this is a mixed binary it might be tricky to setup the system in such a way that you could step from one part of the code debugged in dnSpy and to the other that is native.

Answered by Paweł Łukasik on May 19, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP