.NET Malware 101: Analyzing the .NET Executable File Structure

This document is a hands‑on technical guide to reverse-engineering .NET malware: it explains .NET compilation and runtime (CLR/JIT), assembly and metadata structures, metadata tokens, method body formats (Tiny/Fat), and the use of tools like dnSpy, ILSpy, and PEStudio, illustrating concepts with real malware examples (e.g., a SolarWinds/Sunburst sample hash) to teach analysts how to inspect and interpret .NET executables.