How to: Determine if a DLL is .NET assembly (.NET DLL)
Given 2 DLL (Dynamic Linked Library) files, how we would go about and determine which one is a .NET Assembly?
During malware analysis, we may come across DLLs that are actual assemblies. In order to further analyze assemblies, tools such as dnSpy and ILSpy can be used instead of a disassembler and debugger like IDA .
In this case in order to determine what is the actual DLL, basic static analysis using CFF Explorer is conducted. CFF Explorer is available on https://ntcore.com/?page_id=388
For the sake of this how-to, we pick two DLLs native to Windows 10 operating system: the kernel32.dll (located at C:\Windows\System32) and the System.Management.Automation.dll (located at: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\188.8.131.52__31bf3856ad364e35).
First step is to verify that the files we have are actual DLL files. We open them in CFF Explorer and click on Characteristics from the File Header information, as shown in the image listed below.
A small window shows up that confirms the file type
Analysis of kernel32.dll
Open kernel32.dll on CFF Explorer and on the left-hand side column take a look at the Data Directories: kernel32.dll Data Directories
The .NET Metadata directory RVA and the .NET Metadata Directory Size are 0.
And then, take a look at the Import Directory: kernel32.dll Import Directory
Take a note of the number of DLLs kernel32.dll is importing.
Analysis of System.Management.Automation.dll
Now, open System.Management.Automation.dll and as before, take a look at the Data Directories. System.Management.Automation.dll Data Directories
In this case, the .NET Metadata values are non-zero.
Now, look at the Import Directory: System.Management.Automation.dll Import Directory
Notice that in this case only mscoree.dll is being imported.
By statically analyzing DLL files and taking a look at the Imports and the Data Directories we can determine what kind of DLL we are dealing with in order to later choose the appropriate tools for further analysis.
# static analysis, malware analysis, .NET Assembly