Reverse Engineering Assemblies
When you receive an unfamiliar .NET assembly, the temptation is to decompile everything at once. That works for small libraries, but for anything substantial you will drown in output. A structured approach yields better results with less effort.
Reconnaissance First
Section titled “Reconnaissance First”Start with get_metadata_summary to understand the scale of what you are dealing with. This reads PE headers and .NET metadata tables directly and returns type, method, field, and event counts alongside referenced assemblies and target framework.
"Give me a metadata summary of MyApp.dll"The referenced assemblies list is particularly revealing. References to System.Net.Http suggest network operations. EntityFramework means database access. Newtonsoft.Json or System.Text.Json indicates serialization. These clues guide where to focus.
Enumerate the Type Structure
Section titled “Enumerate the Type Structure”Next, use list_types to see what exists. By default it lists classes, but you can include interfaces, structs, enums, and delegates:
"List all classes and interfaces in MyApp.dll"Results are grouped by namespace, which reveals the application’s architecture at a glance. Most .NET projects organize namespaces by concern — MyApp.Services, MyApp.Models, MyApp.Controllers, and so on.
Search Before You Decompile
Section titled “Search Before You Decompile”Rather than decompiling entire namespaces, use search_types and search_methods to locate specific areas of interest. These tools support substring matching and regex:
"Search for types containing 'Auth' in MyApp.dll""Find all methods with 'Handle' in their name, filtered to the Events namespace"The namespace_filter parameter is especially useful for large assemblies. If you see 40 namespaces in the type listing, narrow your search to the one that matters.
Decompile Targeted Types
Section titled “Decompile Targeted Types”Once you know which types are interesting, decompile them individually with decompile_assembly using the type_name parameter:
"Decompile the MyApp.Auth.TokenValidator class"This returns just that class, keeping output manageable. For types with complex inheritance, decompile the base classes and interfaces separately to build a full picture.
Visualize Relationships
Section titled “Visualize Relationships”For understanding how types relate to each other, generate_diagrammer creates an interactive HTML diagram showing inheritance hierarchies, interface implementations, and dependencies:
"Generate a diagram of MyApp.dll focusing on the Services namespace"Use include_pattern to focus on a specific namespace and exclude_pattern to hide generated code like <>c__DisplayClass compiler artifacts.
Working with Namespaces
Section titled “Working with Namespaces”Large enterprise assemblies can have deeply nested namespaces. A few techniques for staying oriented:
- Filter by namespace on
search_methods,search_fields, andsearch_typesto scope results to a single area. - Look for entry points by searching for
Main,Startup,Configure, orProgrammethods to find where execution begins. - Trace dependencies by decompiling a type, noting what other types it references, and following the chain.
The metadata tools (search_methods, search_fields, search_properties, list_events) all work without ilspycmd, so you can do extensive reconnaissance before installing the decompilation engine.