Tool for reverse engineering ConfuserEx config.
This can help in detecting malware, and just reverse engineering so you can easily see what protections to deobfuscate.
- Watermark (ConfuserEx_Watermark)
- General (ConfuserEx_General)
- Detects ConfuserEx even when watermarks are removed using a renaming pattern it uses internally
- Anti Ildasm (SuppressIldasm)
- Anti Tamper (ConfuserEx_AntiTamper_Normal, ConfuserEx_AntiTamper_JIT, ConfuserEx_2_AntiTamper_Anti, ConfuserEx_2_AntiTamper_Normal)
- Distinct rules for normal (1 and 2), JIT mode, or Anti mode (ConfuserEx 2)
- Constants encryption (ConfuserEx_Constants)
- Control Flow (ConfuserEx_ControlFlow_Switch)
- Switch mode only
- Anti Dump (ConfuserEx_AntiDump)
- Anti Debug (ConfuserEx_AntiDebug_Safe, ConfuserEx_AntiDebug_Win32, ConfuserEx_AntiDebug_Antinet)
- Distinct rules for safe, win32, and antinet
- Invalid Metadata (ConfuserEx_InvalidMetadata)
- Reference Proxy
- Strong mode only (ConfuserEx_RefProxy_Strong)
- Resource protection (ConfuserEx_Resources_Protection)
- Packer/Compressor (ConfuserEx_Packer)
Not every single config option is detected (e.g. constants.decoderCount), but the major, useful to know ones are.
If Anti-tamper is on, the following rules will not be detected:
- Constants encryption
- Control Flow
This is due to anti tamper dynamically encrypting the code so the bytes are different each time. Simply remove the anti-tamper and then run the rules again.
Detect specific alterations for:
- Original: https://github.com/yck1509/ConfuserEx (Done)
- ConfuserEx Fork: https://github.com/mkaring/ConfuserEx
- ConfuserEx 2: https://github.com/Desolath/ConfuserEx2/commits/master/
- NEO ConfuserEx: https://github.com/XenocodeRCE/neo-ConfuserEx