Select Page

In this tutorial, I cover how to use ConfuserEx and neo-ConfuserEx to bypass antivirus. It’s worth mentioning that ConfuserEx only obfuscates .NET assemblies (compiled C# programs). I will use ConfuserEx to obfuscate a compiled version of the SafetyKatz project.

Now I know that the ConfuserEx program and even its successor neo-ConfuserEx are old, dating back to 2018, but they can still be useful.

Want to learn more ethical hacking? I highly recommend buying my book made for beginners to Pentesting Become An Ethical Hacker. Check the price on Amazon.


What Is ConfuserEx?

Basically ConfuserEx is an open-source and very modern C# obfuscator. Officially, from the Github page, it says “ConfuserEx is an open-source protector for .NET applications. It is the successor of Confuser project.”

Some say that ConfuserEx is one of the hardest obfuscations to crack with 1-click programs.

How To Use ConfuserEx

It’s really simple the best way is to go to the Github page for the projects and download the latest releases. Then run the GUI application.

What no one seems to mention in all the other tutorials is that you need to drag the executable you want to obfuscate into the window of ConfuserEx. Doing so will automatically fill the details for the Base Directory field and the Output Directory field, and who doesn’t love some automation?

On top of that if these are auto-fill fields, should you really be filling them in manually…?

Next you have to go the Settings and click on the executable on the left panel. Now click on the + button on the right side and then click on the pencil button to edit the new rule. Here you can se the obfuscation setting, it goes from low mode to Maximum.

The settings for ConfuserEx and neo-ConfuserEx obfuscation are as follows: none, minimum, normal, aggressive, maximum these are the modes you can choose from. I went with maximum, because why not?

Once those settings are in place you will need to hit the Protect tab and finally the Protect! button to kick off the program.

When SafetyKatz is confused by the program it will be smaller than the original file.

How ConfuserEx Obfuscates

You can see the before and after pictures of the code within the SafetyKatz project source code. Using ILSpy I opened the projects in a decompiled state and am able to look at the actual source code, pretty neat huh?

The confused version looks like complete gibberish!

Now wether or not antivirus will detect the confused file as being bad is another question.

Using ConfuserEx On Covenant Launchers

Covenant already uses ConfuserEx by default in generating its launchers @cobbr right? so it could be overkill, but why not?

I tried using neo-ConfuserEx on a Covenant Launcher binary and it was not detected by Defender, but the grunt died almost instantly. The grunt goes to the Confused folder and is grown to almost 100 KB in size which is almost 100x larger than the original.

Try it out yourself and see what happens!

error: