Using ILSpy to analyze a small adware file | Advanced Mobile Spy Software
My curiosity was triggered when the telemetry of our heuristic scanner started showing a multitude of reports about a small file called grandfather.exe, so I went out to grab a copy and have a look at it. As you can probably tell from some of the detection names at Virustotal, this is a MSIL (Microsoft Intermediate Language) file. There are a lot of tools to decompile MSIL executables, but ILSpy is my personal favorite. To demonstrate why, I will show you how I analyzed this very small executable that is part of the Adware.Dotdo family. Using ILSpy Once you have downloaded and unzipped the binaries from their site, you can run ILSpy.exe and click File > Open to navigate to the file that you like to look at. One advantage of ILSpy is that the code is shown in a very clear format. Even knowing how to read pseudocode and where to find .NET documentation will get you a long way, as I'm about to demonstrate. The code in the example Code is shown in C# format In this code slice, where the