Command-Line Interface
The Demeanor CLI is a cross-platform .NET global tool.
demeanor [options] <assembly>
demeanor <command> [options]
| Command | Description |
|---|
| (default) | Obfuscate an assembly |
inspector | Separate tool — see Metadata Inspector |
license | Decode and display license key information |
Obfuscate Command
Input / Output
| Option | Description | Default |
|---|
<assembly> | Path to the .NET assembly to obfuscate | (required) |
--out <dir> | Output directory | ./Demeanor/ |
Scope
| Option | Description | Default | Tier |
|---|
--include-publics | Also obfuscate public/protected symbols. Use for executables not referenced by other assemblies. | off | Enterprise |
--include-deps | Also obfuscate co-located private dependency assemblies. | off | Enterprise |
Naming
| Option | Description | Default | Tier |
|---|
--names <mode> | Alpha (a, b, c) or Unicode | Alpha | Unicode: Enterprise |
--prefix <ns> | Namespace prefix for obfuscated type names | (none) | Community |
--no-aggressive | Disable aggressive mode. When enabled: property and event metadata is stripped, compiler-emitted hints are removed, parameters are renamed, and default parameter values are stripped. | (enabled) | Enterprise |
--no-virtual-rename | Disable virtual override renaming. When enabled, overrides of framework methods like ToString, Equals, GetHashCode, and interface implementations are renamed; the runtime continues to dispatch correctly to the renamed methods. The decompiled output cannot be recompiled. | (enabled) | Enterprise |
--no-enum-deletion | Disable deletion of enum members. When enabled, decompilers see empty enums with no symbolic names or values; Enum.ToString() returns the raw integer. | (enabled) | Enterprise |
Protection Features
All protection features are enabled by default at Enterprise tier. At Community tier, only renaming is active.
| Option | Description | Default |
|---|
--no-strings | Disable string encryption | (enabled) |
--no-constants | Disable integer constant encryption | (enabled) |
--no-resources | Disable encryption of embedded resources | (enabled) |
--no-call-hiding | Disable call hiding (breaks the static call graph so decompilers cannot resolve which methods call which) | (enabled) |
--proxy-threshold <N> | Minimum method body size for call hiding (in bytes) | 16 |
--cfg <level> | Reorder, Predicates, or Flatten | Flatten |
--no-cfg | Disable control-flow obfuscation | (enabled) |
--no-hinder-reflection | Disable reflection hindrance. When enabled (default), reflection-based tools become less reliable and the .NET SDK’s ildasm refuses to open the assembly. | (enabled) |
--no-anti-tamper | Disable anti-tamper. When enabled, the application terminates immediately if the assembly is modified after the build. NativeAOT-compatible. | (enabled) |
--no-anti-debug | Disable anti-debug. When enabled, the application exits when a managed or native debugger attaches at runtime. NativeAOT-compatible. | (enabled) |
Exclusions
| Option | Description |
|---|
--exclude <name> | Exclude a type or member by fully-qualified name. Repeatable. |
--xr <pattern> | Exclude by regex pattern. Repeatable. |
--xa <assembly> | Exclude an assembly (with --include-deps). Repeatable. |
--add-assembly <name> | Include a dynamically referenced assembly. Repeatable. |
Category Exclusions
| Option | Description |
|---|
--no-enumerations | Disable enumeration renaming |
--no-events | Disable event renaming |
--no-fields | Disable field renaming |
--no-methods | Disable method renaming |
--no-parameters | Disable parameter renaming |
--no-properties | Disable property renaming |
--no-rename | Disable all renaming (types, methods, fields, properties, events, parameters). A member-level [Obfuscation(Feature="rename", Exclude=false)] or [Obfuscation(Feature="rename-propagate", Exclude=false)] opts the marked symbol back in. |
--no-resource-names | Disable resource name renaming |
--no-serializable | Exclude serializable types and their fields |
--no-types | Disable type renaming |
Reporting & Incremental (Enterprise)
| Option | Description |
|---|
--report | Generate JSON report mapping original to obfuscated names |
--report-file <path> | Path for the report file |
--prior-report <path> | Prior report for incremental obfuscation |
--satellite-assemblies | Update resource names in satellite assemblies |
--sa-cultures <culture> | Restrict satellite processing to specific cultures |
Strong Name Re-signing
| Option | Description |
|---|
--keyfile <path> | Strong name key file (.snk) |
--keycontainer <name> | Strong name key container |
Output Control
| Option | Description | Default |
|---|
--license <key> | License key (also reads DEMEANOR_LICENSE env var) | |
--verbose | Verbose obfuscation statistics | off |
--quiet | Suppress all non-error output | off |
--debug | Preserve debug data (PDB) | off |
--no-logo | Suppress the startup banner | off |
Metadata Inspector
The metadata inspector is a standalone CLI tool that installs alongside Demeanor (no license required to use it). See the full Inspector documentation.
inspector <assembly> [options]
license Command
Decode and display license key information.
demeanor license YOUR_LICENSE_KEY
Also reads from the DEMEANOR_LICENSE environment variable if no argument is provided.