[Question] Why dnlib over System.Reflection.Metadata?

[Mukul1127]

Description

I have been trying to see the differences between IlSpy and dnSpyEx and people keep saying that dnSpy is better because it uses dnlib vs IlSpy with Mono.Cecil. But now IlSpy is using System.Reflection.Metadata. So why doesn't dnSpyEx just also use System.Reflection.Metadata instead of porting IlSpy 8.2 to dnlib. If dnlib is better, why doesn't IlSpy also use it instead of System.Reflection.Metadata?

Thanks

[Mukul1127]

I'm asking here in issues as the discussions seem to be pretty dead.

I also noticed that dnlib is pretty much being maintained by dnSpyEx contributors so why don't they integrate it. I understand that some people may be using dnlib outside of dnSpyEx but to me, using System.Reflection.Metadata seems like a better option that new projects would use.

[ElektroKill]

Hi,

Let's get started by explaining the key differences between dnSpy(and by extension dnSpyEx) and ILSpy.

• ILSpy - focused strictly on decompilation, it is a read-only tool that aims to provide decompilation as accurately as possible when fed unobfuscated assemblies. ILSpy is not focussed on reverse engineering like dnSpy, it is strictly meant to be a decompiler.
• dnSpy - focused on reverse engineering of any kind of .NET assembly. dnSpy is not only about decompilation. It also offers debugging capabilities without the need to fire up an IDE or even have one installed. It also offers assembly editing which allows the user to edit the open file in any way they desire. dnSpy uses currently uses the ILSpy engine under the hood but in theory, it could use any engine for decompilation.

Now lets take a look at the metadata libraries in question

• System.Reflection.Metadata - an official library provided by MS that provides very low-level access to metadata. This library is used by Roslyna and other 1st party .NET tools. The library is great for reading and writing normal files emitted by the C# compiler but when it comes to the specially handcrafted binaries that abuse implementation quirks of the CLR, the library falls apart since it is based on the ECMA specification for .NET metadata rather than on the Microsoft implementation of this specification (yes, Microsoft's implementation does not strictly adhere to the specification and has some differences)'
• Mono.Cecil - a 3rd party library that was one of the first ones out there. It provides higher-level models of metadata compared to System.Reflection.Metadata. The library is thus easier to use for people less familiar with the intricacies of the metadata structures and makes manipulation easier. This library also suffers from the same issue regarding the difference between the official specification and the Microsoft implementation which results in the library being unable to properly read many obfuscated binaries.
• dnlib - A library developed with deobfuscation and reverse engineering in mind, it is based on the Microsoft implementation of the .NET specification and implements the same quirks and oddities that are found in the Microsoft implementation but are not found in the specification. This makes the library a good choice for anyone doing any kind of work with obfuscated assemblies. The library will read or try its best to read any file you give it. If the .NET runtime can execute a file, dnlib will most likely load it successfully.

The summary is that there is no ultimate library, each has its purpose and advantages/disadvantages and the choice will depend on what is necessary.

Now as for the choice of libraries:

• ILSpy uses System.Reflection.Metadata since it is also used in VS now and some Roslyn code analysis. ILSpy also does not need to edit assemblies or load obfuscated assemblies so the higher level metadata representation is not useful for them and they don't need dnlib's robustness. System.Reflection.Metadata makes ILSpy easy to use in other 1st-party .net tooling which also uses that library.
• dnSpy uses dnlib since this library is more robust when it comes to loading handcrafted obfuscated binaries which abuse quirks in .NET implementation not defined in the official specification. dnSpy's goal of being the goto .NET reverse engineering suite necessitates its use of dnlib.

Hope this answers your question! If you have follow-up questions, feel free to ask!

[Mukul1127]

Wow, this completely answered my questions and more! Thanks!