How to: Determine if a DLL is .NET assembly (.NET DLL)

The challenge

Given 2 DLL (Dynamic Linked Library) files, how we would go about and determine which one is a .NET Assembly?

The ground

During malware analysis, we may come across DLLs that are actual assemblies. In order to further analyze assemblies, tools such as dnSpy and ILSpy can be used instead of a disassembler and debugger like IDA .

The tool

In this case in order to determine what is the actual DLL, basic static analysis using CFF Explorer is conducted. CFF Explorer is available on https://ntcore.com/?page_id=388

The procedure

For the sake of this how-to, we pick two DLLs native to Windows 10 operating system: the kernel32.dll (located at C:\Windows\System32) and the System.Management.Automation.dll (located at: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35).

First step is to verify that the files we have are actual DLL files. We open them in CFF Explorer and click on Characteristics from the File Header information, as shown in the image listed below.

confirm dll file type A small window shows up that confirms the file type

Analysis of kernel32.dll

Open kernel32.dll on CFF Explorer and on the left-hand side column take a look at the Data Directories: kernel32 data directories kernel32.dll Data Directories

The .NET Metadata directory RVA and the .NET Metadata Directory Size are 0.

And then, take a look at the Import Directory: kernel32 import directory kernel32.dll Import Directory

Take a note of the number of DLLs kernel32.dll is importing.

Analysis of System.Management.Automation.dll

Now, open System.Management.Automation.dll and as before, take a look at the Data Directories. System.Management.Automation data directories System.Management.Automation.dll Data Directories

In this case, the .NET Metadata values are non-zero.

Now, look at the Import Directory: System.Management.Automation import directory System.Management.Automation.dll Import Directory

Notice that in this case only mscoree.dll is being imported.

Recap

By statically analyzing DLL files and taking a look at the Imports and the Data Directories we can determine what kind of DLL we are dealing with in order to later choose the appropriate tools for further analysis.

# static analysis, malware analysis, .NET Assembly