Issue with dotnetfile's get_user_stream_strings() and finding an alternative solution (ft. Redline Stealer) !
Introduction While working on a config extractor for a Redline Stealer variant, I encountered an issue which that when I open the executable in dnSpy I can see the encrypted strings (IP,Key,...) but when I try to automate the extraction using dotnetfile module in python, they don't show up somehow in dotnetfile's get_user_stream_strings() 1- .NET Streams .NET files contain a "Metadata" section, which contains chunks of bytes called Streams . We're interested in the #US Stream: #US : It's called User Strings. It contains Unicode strings that are referenced by the code instuction (i.e. ldstr , which loads a string). You can see these stram in CFF Explorer: (1) .NET Stream in CFF Explorer There are other streams, you can check ntcore's article to learn about the full format of a .NET executable. I might write about it in the future. 2- dotnetfile's get_user_stream_strings() didn't work When I deobfuscated the executable and managed to get the strin...