I recommend syft by anchore. It is an open source tool that works reasonably well. It can also include dll files in the output, if you point it at a folder containing them. However, in my experience it can get the PURL and CPE wrong for dlls. If your goal is to compare the SBOM to vulnerability databases (using grype, for example), it won't work. And of course syft won't decompile the dlls for you and include their dependencies as well. I feel like .NET projects are extra tricky, because they offer so many ways of including dependencies. Syft doesn't recognise them all. You'll definetely have to do some experimentation on your project.