One More Week for MacBook Air, $400 Amazon Gift Card, or Take $400 Off with OnDemand Training


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Sorry, the slides for this webcast are not available for download.

Oh You Silly Framework!: An Intro to Analyzing .NET Malware - SANS@Mic Sydney

  • Wednesday, November 04, 2020 at 4:00 AM EST (2020-11-04 09:00:00 UTC)
  • Ryan Chapman

You can now attend the webcast using your mobile device!



Malware written using Microsoft's (MS's) .NET Framework operates differently from your standard compiled Portable Executable (PE). The framework, often pronounced "dot net," provides modern, functional, and easy-to-use assemblies for creating current-generation software. Once the C Sharp (C#), Visual Basic (VB.NET) or other .NET language is compiled, the result is MS Intermediate Language (MSIL). Upon being executed, the MSIL-based PE uses a just-in-time (JIT) compiler to generate native code, which is what we see run when .NET software/malware executes. Wonderfully for both the malware hobbyist and reverse engineering guru alike, MSIL PEs are easily decompiled back to source code. In this talk, SANS Instructor Ryan Chapman will provide an overview of the .NET framework, discuss malware families known to depend upon the framework, and provide analysis methodologies and tools for ripping these samples apart with ease.

Speaker Bio

Ryan Chapman

Ryan Chapman is a hacker, consultant, speaker, and trainer. He works as a Principal Incident Response Consultant for BlackBerry (formerly Cylance). Ryan also teaches SANS FOR610: Reverse Engineering Malware and is the lead organizer for CactusCon, Arizona's hacker conference. He has a zest for life-long learning and loves to present, having presented talks and workshops at conferences such as DefCon, BSides, CactusCon, Splunk .Conf, and more. With Ryan, it's all about the blue team!

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.