Hinder Reflection Enterprise

Reflection-based reverse engineering tools and the ILDASM disassembler are the first tools attackers reach for. Demeanor's reflection hindrance combines two techniques: writing an invalid EncBaseId to the Module table (confusing reflection-based tools) and injecting [SuppressIldasmAttribute] (preventing ILDASM from opening the assembly).

Usage

CLIMSBuildDefault
(enabled by default at Enterprise)(enabled by default)On
--no-hinder-reflection<ObfuscateNoHinderReflection>true</ObfuscateNoHinderReflection>Disable

What It Does

  • EncBaseId invalidation — writes 0xFFFF to the Module table's EncBaseId column (ECMA-335 II.22.30). The CLR ignores this field at runtime, but reflection-based tools may misinterpret it as Edit-and-Continue metadata, causing them to misparse the assembly.
  • SuppressIldasm injection — injects [SuppressIldasmAttribute] on the assembly. ILDASM checks for this attribute and refuses to disassemble the output. ILSpy and dnSpy ignore it, so this is a speed bump — but it blocks the most commonly available tool.

Before & After

BEFORE
$ ildasm MyApp.dll
// Opens normally — full IL visible
AFTER OBFUSCATION
$ ildasm MyApp.dll
Protected module -- cannot disassemble

When to Disable

  • Hot reload during development — EncBaseId invalidation interferes with the .NET hot reload mechanism. Only enable for Release builds (the default MSBuild configuration).
  • Plugin systems that enumerate types — if your host application uses Assembly.GetTypes() on obfuscated plugins, test that this doesn't cause ReflectionTypeLoadException.

Ready to protect your .NET code?

View Pricing All Options

[email protected] · wiseowlsoftware.com