ConfuserEx Obfuscation

What It Does

ConfuserEx is an open-source .NET obfuscator that rewrites managed assemblies to impede reverse engineering. It operates at the IL level, applying heavy name mangling, constant encryption, control-flow flattening, resource compression, and anti-tamper delegates. Originally forked from the older Confuser project, it is widely used by malware authors because it is free, actively maintained, and trivially applied via a GUI or CLI pipeline.

Detection / Fingerprint

Static markers

• Name mangling: All types, methods, fields, properties, and events are renamed to strings matching #=q[A-Za-z0-9_$]{10,}== (or extended variants with = padding). ^[sample fe81691f/strings.txt:278]
• High-entropy .rsrc: The resource section often contains an encrypted or compressed payload (entropy ~7.9–8.0). In this sample, a PK\x03\x04 ZIP archive is embedded deep inside .rsrc, likely the encrypted plugin/config bundle. ^[/intel/analyses/fe81691f199873bd5470c7beff9a52fdd6c1e03b80484e40b15ce040cde851b5.html]
• COR20 oddities: Some ConfuserEx variants rewrite the COR20 header or metadata stream offsets in ways that confuse standard parsers (e.g., unusual flags or entry-point tokens). ^[/intel/analyses/fe81691f199873bd5470c7beff9a52fdd6c1e03b80484e40b15ce040cde851b5.html]
• Minimal IAT: Only mscoree.dll!_CorExeMain remains in the import table; everything else is resolved via .NET reflection.
• No native packer: ConfuserEx is not a native packer — the PE remains a valid .NET assembly.

Behavioral markers

• Decompilers (ILSpy, dnSpy) fail to produce readable C# until the obfuscation layer is stripped.
• floss and static string analysis recover almost no meaningful API names; only mscorlib namespace strings survive.

Implementation Patterns Observed

• Control-flow flattening: IL blocks are replaced with a large switch dispatch and exception-based branching.
• Constant encryption: Immediate values and string constants are encrypted at compile time and decrypted at runtime via injected helper methods.
• Resource encryption: Embedded resources are AES-encrypted or XOR-obfuscated, then extracted into memory streams at startup.
• Anti-tamper: Integrity checks (hash of the assembly bytes) that raise exceptions if the binary is modified.
• Name encryption (typo): Some variants rename everything to koi or similar short tokens; ConfuserEx prefers the #=q…== base64-like format.

Reproduce on Your Own VMs

1. Install ConfuserEx

   # Download ConfuserEx v1.6.0 CLI
   wget https://github.com/mkaring/ConfuserEx/releases/download/v1.6.0/ConfuserEx.CLI.zip
   unzip ConfuserEx.CLI.zip -d C:\tools\ConfuserEx
   

2. Build a simple .NET payload

   // A trivial WinForms app that opens a TCP socket
   var client = new TcpClient();
   client.Connect("127.0.0.1", 4444);
   

3. Create a ConfuserEx project file (crproj)

   <project outputDir=".\obfuscated" baseDir=".\bin\Debug" xmlns="http://confuser.codeplex.com">
     <module path="MyApp.exe">
       <rule preset="maximum" />
     </module>
   </project>
   

4. Run the obfuscator

   C:\tools\ConfuserEx\Confuser.CLI.exe .\obfuscate.crproj
   

5. Verify

   strings .\obfuscated\MyApp.exe | select-string "#=q"
   # Expect hundreds of mangled names
   capa .\obfuscated\MyApp.exe | findstr "dotnet"
   

Defensive Countermeasures

• Deobfuscation: Use de4dot (legacy) or NoFuser / de4dot-cex to strip ConfuserEx protections. For modern forks, manual dnSpyEx debugging with Force JIT can recover decrypted strings.
• Detection: YARA rules targeting the #=q…== name pattern plus high-entropy .rsrc detect most variants.
• Memory forensics: Decrypted payloads and strings live in managed heap after JIT; dump with mimikatz sekurlsa::minidump or CLR profiler APIs.

Pages Where Observed

• nanocore — VB.NET NanoCore RAT client heavily obfuscated with ConfuserEx.