Mono.Cecil - obfuscated malicious code
In this great article (http://eatplayhate.wordpress.com/2010/07/18/mono-cecil-vs-obfuscation-fight/), the author claims that Mono.Cecil is not perfect, but that it translated a good 90% of the functions without any issues. My question to you guys is: Can an evil programmer obfuscate malicious code that could not be deobfuscated using Mono.Cecil and thus cause a serious breach in my program (3rd party code)? If the answer is yes, do you know what symbols I can use to write such code, or how I can protect my self from such code?
Of course an evil programmer can always obfuscate code better than you can deobfuscate it. Determining the behavior of arbitrary code in advance is an undecidable problem after all. More practically, the obfuscation vs deobfuscation fight is just over who puts in more effort. Obfuscation is much easier than deobfuscation, but commercial obfuscators tend to be much less sophisticated than what you can write by hand or with a custom obfuscator, for various reasons. The fact that Mono Cecil is good enough to debofuscate many common obfuscation tools doesn't mean it can do anything about the later. If you want to see some of the tricks you can pull with hand obfuscated code, take a look at this crackme. It's Java bytecode rather than CLI, but the idea is similar. As of this writing, noone has even solved it, despite the crackme consisting of a single method in a single class. And it doesn't even use Reflection, the proper use of which makes automated deobfuscation all but impossible. The real question however, is what you're trying to do with this. Are you trying to check arbitrary code for malicious behavior? Sorry, but that's not really possible. You need to run it in a sandbox.
Obsfucation of code in commercial product
Is there a way to remove xml doc of internalized methods when using ILmerge?
Is it possible to hide sources under HHVM?
Upgrade from Eazfuscator free… to confuserex?
Obfuscating C++ Shared Library
Obfuscation in IBM MobileFirst 6.3
How do I get Autofac delegate factories to work with obfuscation?
Is it possible to use pyminifier with py2app?
How to use ConfuserEx?
Obfuscate Portable Class Library in SmartAssembly
Obfuscating SharpDX assemblies
Ignore method during Proguard Obfuscation
log4j2 doesnot print exception logs for obfuscated code
Obfuscation causes VerifyError: Expecting a stackmap frame
Obfuscated assembly detected by antivirus ( false positive)
Automatically log error and terminate application with SmartAssembly