The ILDasm tool (also known as IL Disassembler tool), is a popular tool both for developers and researchers working with .NET programs. We rely heavily on ILDasm when performing static analysis on IL binary code level. Therefore, it’s important to use ILDasm in an efficient way. Besides having it pinned to the taskbar or desktop we need to get it integrated with the research environment.
Visual Studio Command Prompt
When Visual Studio is installed various Command Prompt shortcuts are added under Visual Studio Tools folder.
When Visual Studio Command prompt is started ILDasm is added to the
PATH environment variable. This allows to launch ILDasm by typing
ildasm in the command prompt.
External Tools in Visual Studio
Since we want to disassemble .NET binaries compiled in Visual Studio it’s worth to get ILDasm integrated with it.
To add ILDasm as an external tool to Visual Studio select
TOOLS, then select
External Tools... and provide the followings.
Title: I&L Disassembler
Command: C:\Program Files (x86)\Microsoft SDKs\Windows\v8.1A\bin\NETFX 4.5.1 Tools\ildasm.exe
Arguments: /SOURCE $(TargetDir)$(TargetName)$(TargetExt)
Initial directory: $(TargetDir)
Which looks like this in the GUI.
To run ILDasm on the compiled binary just select
TOOLS, then select
IL Disassembler. The keyboard shortcut is
Note, you might have noticed the
/SOURCE argument is provided for ILDasm. It’s there to show the source lines in the disassembly.
SendTo Context Menu
Having ILDasm in the SendTo Context menu can be useful if we want to run it on a selected file in the file explorer.
To add ILDasm to SendTo Context menu, press
Windows Logo+R and type
shell:sendto in the run dialog box. The location of SendTo Context menu will pop up in the file explorer where the shortcut to ILDasm needs to be created.
The location can be like this.
In certain situations we might prefer to output the disassembly text into file. It’s supported by ILDasm when
/OUT argument is used. Therefore we can generate output disassembly of a .NET program from SendTo Context menu.
This is what it looks like having ILDasm in SendTo Context menu.
When we need to disassemble a number of files into text files we use the following command called from
for /r %%i in (*.*) do ildasm "%%i" /text /out=c:\BatchDasm\%%~ni.%%~zi.il
The command runs ILDasm on all the files in the current folder and all subfolders. The resulting disassembly will be saved into
c:\BatchDasm. The resulting disassembly file is named like below.
<original filename>.<original filesize>.il
It was observed that ILDasm can crash even on legitimate Windows files. This can be just inconvenience but it can also raise security concerns.
Configuration of the Research Environment
The research environment has the following configuration.
Visual Studio 2013