When performing malware analysis, you will have to deal with analyzing a wide variety of code. You are likely to encounter malware created using Microsoft Visual C/C++, Delphi, and the .NET framework. In this section, we will take a brief look at a tool called dnSpy (https://github.com/0xd4d/dnSpy), which makes analyzing .NET binaries much easier. It is quite effective when it comes to decompiling and debugging a .NET application. To load a .NET application, you can drag and drop the application into dnSpy, or launch dnSpy and select File | Open, giving it the path to the binary. Once the .NET application has loaded, dnSpy decompiles the application, and you can access the program's methods and classes in the left-hand window, named Assembly explorer. The following screenshot shows the main function of the decompiled .NET malicious binary (named SQLite.exe):

Once the binary has decompiled, you can either read the code (static code analysis) to determine the malware's functionality, or debug the code and perform dynamic code analysis. To debug the malware, you can either click on the Start button on the toolbar, or choose Debug | Debug an Assembly (F5); this will pop up the dialog shown here:

Using the Break at drop-down option, you can specify where to break when the debugger starts. Once you are satisfied with the options, you can click on OK, which will start the process under debugger control and pause the debugger at the entry point. Now, you can access various debugger options (such as Step Over, Step into, Continue, and so on) via the Debug menu, shown in the following screenshot. You can also set a breakpoint by double-clicking on a line, or by choosing Debug | Toggle Breakpoint (F9). While you are debugging, you can make use of the Locals window to examine some of the local variables or memory locations: