Getting Started Guide
How to Install and Use dnSpy
This guide covers installing dnSpy on Windows and using it to decompile, debug, and modify .NET assemblies.
Prerequisites
- -Windows
- -A .NET executable or DLL to analyze
Install dnSpy
Download dnSpy from GitHub releases. It's portable - no installer.
Download
# Download latest from https://github.com/dnSpy/dnSpy/releases
# Extract zip
# Run dnSpy.exeOr via Chocolatey
choco install dnspyNote: The original repo is archived but the tool still works perfectly. Several community forks continue development.
Load and Decompile
Open a .NET assembly and browse the decompiled C# source code.
GUI steps
# File > Open > Select .exe or .dll
# Assembly tree appears on the left
# Click any class/method to see decompiled C# code
# Right-click > Go to Entry Point to find main()Note: dnSpy produces very clean C# output from compiled .NET assemblies. Variable names, method signatures, and string literals are all preserved because .NET metadata is rich.
Debug Without Source
Set breakpoints and debug .NET applications without having the source code. This is dnSpy's killer feature.
Debug steps
# Debug > Start Debugging (F5) to launch the exe under debugger
# Or Debug > Attach to Process for running applications
# Click in the margin to set breakpoints
# F10 = Step Over, F11 = Step Into
# Locals/Watch windows show variable valuesEdit and Patch
Modify IL code or C# directly and save the patched assembly.
Edit steps
# Right-click a method > Edit Method Body (IL)
# Or Right-click a method > Edit Method (C#)
# Make changes in the editor
# File > Save Module to write the patched assemblyNote: You can change string comparisons, bypass license checks, modify return values, or add logging. Save creates a new patched binary.
Search Across Assemblies
Search for strings, types, methods, and references across loaded assemblies.
Search features
# Edit > Search Assemblies (Ctrl+Shift+K)
# Search for: passwords, API keys, crypto operations
# Analyze tab shows cross-references (who calls this method?)Note: For malware analysis, search for crypto-related classes (AES, RSA), network classes (HttpClient, Socket), and file operations (File.Write, Registry). These reveal the malware's capabilities quickly.