ConfuserEx .NET Packing
An open-source .NET protector that compresses the assembly into a packed module, then anti-tampers and decrypts constants and methods at runtime.
ConfuserEx is a widely-abused open-source obfuscator and packer for .NET
assemblies. Its packer module turns the original managed assembly into a
compressed, encrypted blob embedded as a resource inside an outer stub assembly.
At startup the stub decompresses the inner module, decrypts it, and loads it with
Assembly.Load/AppDomain reflection, so a decompiler pointed at the file on
disk sees only the loader and a packed resource — not the real classes.
On top of packing, ConfuserEx layers protections that fire at runtime: an anti-tamper routine that decrypts method bodies in memory by re-reading and XOR/RC4-processing the IL from a packed section, and constant encryption that replaces literal strings and numbers with calls into a decryptor that reconstructs them on demand. Commodity .NET malware such as AgentTesla and AsyncRAT is frequently distributed wrapped in ConfuserEx for exactly this reason.
How it works
The outer stub locates its packed resource, inflates it, and reflectively loads the recovered assembly; protected methods are only valid IL after anti-tamper runs:
/* ConfuserEx packer stub (managed pseudo-code) */
byte[] blob = Assembly.GetManifestResourceStream(name).ReadAll();
byte[] comp = Decrypt(blob, key); /* constant/module key */
byte[] mod = Inflate(comp); /* deflate / lzma */
/* anti-tamper: rewrite method bodies in the loaded module's memory */
foreach (m in module.Methods)
PatchIL(m.RVA, RC4(rawIL, deriveKey(m.Token)));
Assembly real = Assembly.Load(mod); /* real payload assembly */
real.EntryPoint.Invoke(null, args);The packed module lives in .rsrc/the managed resource table, not as a normal PE
section, and the stub's own metadata is minimal — a <Module>.cctor (module
initializer) often drives anti-tamper before Main runs. Constant decryption
appears as repeated calls to a single static method returning the original
string or integer.
Detection & analysis
Static analysis: A ConfuserEx-packed file is a .NET assembly with a tiny visible class set, a large embedded managed resource of high entropy, and a module initializer that does reflection and decompression. Decompilers (dnSpy, ILSpy) show string accesses replaced by calls into a decryptor and method bodies that may not decompile cleanly because their IL is still encrypted on disk. Distinctive anti-tamper and constant-protection patterns are recognised by tools like de4dot and detectors such as Detect It Easy.
Dynamic analysis: Run under dnSpy and break in the module initializer or on
Assembly.Load; once the real assembly is loaded and anti-tamper has rewritten
the method bodies, dump the in-memory module — the decrypted IL is now valid and
decompilable. de4dot can clean many ConfuserEx variants automatically
(restoring constants and removing anti-tamper); for hardened samples, dump the
loaded module from the process and then run cleanup. The loaded assembly's entry
point is the managed OEP equivalent.
Detection rule hint: Flag a .NET image whose module initializer performs
resource reads plus decompression and Assembly.Load, paired with a large
high-entropy managed resource and pervasive single-method string/constant
accessors — the combination of a packed inner module and anti-tamper that
rewrites IL at startup distinguishes a ConfuserEx pack from ordinary managed
resource use.