ildasm.exe

  • File Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\x64\ildasm.exe
  • Description: Microsoft .NET Framework IL disassembler
  • Comments: Flavor=Retail

Hashes

Type Hash
MD5 1EDEF2D2C5BE98582F8CBA566F3603F0
SHA1 FA4B04167B54E727898CA0326FF08FEDAADD5428
SHA256 16B83C1E88BF45EF528DA4FDA4CD0D174571D7597A6379492A12B26AB69DABA6
SHA384 694D63472776602E8CAF2D65F8939C53CF6B8B7F2E2FEEC3FA1E8C20D5C02F42E3CC7011CE8BE4A3D8194D2FE4470932
SHA512 6BB1CC8C7B6961AFA93A885EE03D42570132BC3008C4490EAFC44254F93631F654D4C0A1979FAAF986DE9AEA34389DDA08CB043E6E9B8647833A1BD13CAAE437
SSDEEP 12288:cArMxakG4g2X9/3L68Vzk4SMO7ky0VX2DIa6E4TDrVRe+JcbZTB6Xq3jmugHG5aO:pr1Z4g2X9/3L6YeMO7ky0VmDqNi+Jcbd
IMP 420AF2FBD6F4480F1FB6C114A447BB80
PESHA1 559344F8246649B32C12356F366C232395E25F7E
PE256 33077C8C2412A76924EB7561471589C6422C6D818C448B6E90119C8AA747202E

Runtime Data

Usage (stdout):

Microsoft (R) .NET Framework IL Disassembler.  Version 4.8.4084.0
Copyright (c) Microsoft Corporation.  All rights reserved.

INVALID COMMAND LINE OPTION: --help

Usage: ildasm [options] <file_name> [options]

Options for output redirection:
  /OUT=<file name>    Direct output to file rather than to GUI.
  /TEXT               Direct output to console window rather than to GUI.

  /HTML               Output in HTML format (valid with /OUT option only).
  /RTF                Output in rich text format (invalid with /TEXT option).
Options for GUI or file/console output (EXE and DLL files only):
  /BYTES              Show actual bytes (in hex) as instruction comments.
  /RAWEH              Show exception handling clauses in raw form.
  /TOKENS             Show metadata tokens of classes and members.
  /SOURCE             Show original source lines as comments.
  /LINENUM            Include references to original source lines.
  /VISIBILITY=<vis>[+<vis>...]    Only disassemble the items with specified
          visibility. (<vis> = PUB | PRI | FAM | ASM | FAA | FOA | PSC)
  /PUBONLY            Only disassemble the public items (same as /VIS=PUB).
  /QUOTEALLNAMES      Include all names into single quotes.
  /NOCA               Suppress output of custom attributes.
  /CAVERBAL           Output CA blobs in verbal form (default - in binary form).
  /NOBAR              Suppress disassembly progress bar window pop-up.

The following options are valid for file/console output only:
Options for EXE and DLL files:
  /UTF8               Use UTF-8 encoding for output (default - ANSI).
  /UNICODE            Use UNICODE encoding for output.
  /NOIL               Suppress IL assembler code output.
  /FORWARD            Use forward class declaration.
  /TYPELIST           Output full list of types (to preserve type ordering in round-trip).
  /PROJECT            Display .NET projection view if input is a .winmd file.
  /HEADERS            Include file headers information in the output.
  /ITEM=<class>[::<method>[(<sig>)]  Disassemble the specified item only

  /STATS              Include statistics on the image.
  /CLASSLIST          Include list of classes defined in the module.
  /ALL                Combination of /HEADER,/BYTES,/STATS,/CLASSLIST,/TOKENS

Options for EXE,DLL,OBJ and LIB files:
  /METADATA[=<specifier>] Show MetaData, where <specifier> is:
          MDHEADER    Show MetaData header information and sizes.
          HEX         Show more things in hex as well as words.
          CSV         Show the record counts and heap sizes.
          UNREX       Show unresolved externals.
          SCHEMA      Show the MetaData header and schema information.
          RAW         Show the raw MetaData tables.
          HEAPS       Show the raw heaps.
          VALIDATE    Validate the consistency of the metadata.
Options for LIB files only:
  /OBJECTFILE=<obj_file_name> Show MetaData of a single object file in library

Option key is '-' or '/', options are recognized by first 3 characters

Example:  ildasm /tok /byt myfile.exe /out=myfile.il


Child Processes:

ildasm.exe

Loaded Modules:

Path
C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\x64\ildasm.exe
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 33000001519E8D8F4071A30E41000000000151
  • Thumbprint: 62009AAABDAE749FD47D19150958329BF6FF4B34
  • Issuer: CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: ildasm.exe
  • Product Name: Microsoft .NET Framework
  • Company Name: Microsoft Corporation
  • File Version: 4.8.4084.0 built by: NET48REL1
  • Product Version: 4.8.4084.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/76
  • VirusTotal Link: https://www.virustotal.com/gui/file/16b83c1e88bf45ef528da4fda4cd0d174571d7597a6379492a12b26ab69daba6/detection

Possible Misuse

The following table contains possible examples of ildasm.exe being misused. While ildasm.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
stockpile 7a6ba833-de40-466a-8969-5c37b13603e0.yml "ildasm", Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.