Command-Line Interface
The Demeanor CLI is a self-contained native binary — no .NET runtime required.
demeanor [options] <assembly>
demeanor <command> [options]
| Command | Description |
|---|
| (default) | Obfuscate an assembly |
inspect | Separate tool — see Metadata Inspector |
license | Decode and display license key information |
Obfuscate Command
Input / Output
| Option | Description | Default |
|---|
<assembly> | Path to the .NET assembly to obfuscate | (required) |
--out <dir> | Output directory | ./Demeanor/ |
Scope
| Option | Description | Default | Tier |
|---|
--include-publics | Also obfuscate public/protected symbols. Use for executables not referenced by other assemblies. | off | Enterprise |
--include-deps | Also obfuscate co-located private dependency assemblies. | off | Enterprise |
Naming
| Option | Description | Default | Tier |
|---|
--names <mode> | Alpha (a, b, c) or Unicode | Alpha | Unicode: Enterprise |
--prefix <ns> | Namespace prefix for obfuscated type names | (none) | Community |
--no-aggressive | Disable aggressive mode. When enabled: all renamed members share the same name, property/event metadata is stripped, readonly and [CompilerGenerated] hints are removed, parameters are named a, default parameter values are stripped. | (enabled) | Enterprise |
--no-virtual-rename | Disable MethodImpl-based virtual override renaming. When enabled, overrides of ToString, Equals, GetHashCode, and interface implementations are renamed and wired via MethodImpl records. The decompiled output cannot be recompiled. | (enabled) | Enterprise |
--no-enum-deletion | Disable deletion of enum member fields. When enabled, all static literal fields on renamed enums are deleted — decompilers see empty enums with no symbolic names or values. Enum.ToString() returns the raw integer. | (enabled) | Enterprise |
Protection Features
All protection features are enabled by default at Enterprise tier. At Community tier, only renaming is active.
| Option | Description | Default |
|---|
--no-strings | Disable string encryption | (enabled) |
--no-constants | Disable integer constant encryption | (enabled) |
--no-resources | Disable encryption of embedded resources | (enabled) |
--no-call-hiding | Disable call hiding (delegate-backed relay methods that hide call targets from static analysis) | (enabled) |
--proxy-threshold <N> | Minimum IL body size for proxying | 16 |
--cfg <level> | Reorder, Predicates, or Flatten | Flatten |
--no-cfg | Disable control flow obfuscation | (enabled) |
--no-hinder-reflection | Disable reflection hindrance. When enabled (default): injects metadata constructs that hinder reflection-based tools and prevents ILDASM disassembly. | (enabled) |
--no-anti-tamper | Disable anti-tamper integrity verification. When enabled, a module initializer verifies the assembly has not been modified post-build. NativeAOT-compatible. | (enabled) |
--no-anti-debug | Disable anti-debug detection. When enabled, debugger detection checks are scattered across method entry points. NativeAOT-compatible. | (enabled) |
Exclusions
| Option | Description |
|---|
--exclude <name> | Exclude a type or member by fully-qualified name. Repeatable. |
--xr <pattern> | Exclude by regex pattern. Repeatable. |
--xa <assembly> | Exclude an assembly (with --include-deps). Repeatable. |
--add-assembly <name> | Include a dynamically referenced assembly. Repeatable. |
Category Exclusions
| Option | Description |
|---|
--no-types | Disable type renaming |
--no-methods | Disable method renaming |
--no-fields | Disable field renaming |
--no-properties | Disable property renaming |
--no-events | Disable event renaming |
--no-parameters | Disable parameter renaming |
--no-enumerations | Disable enumeration renaming |
--no-resource-names | Disable resource name renaming |
--no-serializable | Exclude serializable types and their fields |
Reporting & Incremental (Enterprise)
| Option | Description |
|---|
--report | Generate JSON report mapping original to obfuscated names |
--report-file <path> | Path for the report file |
--prior-report <path> | Prior report for incremental obfuscation |
--satellite-assemblies | Update resource names in satellite assemblies |
--sa-cultures <culture> | Restrict satellite processing to specific cultures |
Strong Name Re-signing
| Option | Description |
|---|
--keyfile <path> | Strong name key file (.snk) |
--keycontainer <name> | Strong name key container |
Output Control
| Option | Description | Default |
|---|
--license <key> | License key (also reads DEMEANOR_LICENSE env var) | |
--verbose | Verbose obfuscation statistics | off |
--quiet | Suppress all non-error output | off |
--debug | Preserve debug data (PDB) | off |
--no-logo | Suppress the startup banner | off |
license Command
Decode and display license key information.
demeanor license YOUR_LICENSE_KEY
Also reads from the DEMEANOR_LICENSE environment variable if no argument is provided.