/ClrDumper

Dump .net assembly from a native loader which uses ClrCreateinstance

Primary LanguageC++MIT LicenseMIT

ClrDumper

ClrDumper can dump .net assemblies and scripts from :

  • Native Clr Loaders
  • Managed Assembly (in memory loading Assembly.Load(bytes[]))
  • vbs/js hosting executables
  • vbscript or jscript
  • poweshell scripts

ClrDumper can also dump scripts at every stage, like eval or Execute

For Native loaders

ClrDumper.exe -nativeclr [PATH_TO_EXE]

For Managed Assemblies

ClrDumper.exe -asmload [PATH_TO_EXE]

For VbScript

ClrDumper.exe -vbscript [PATH_TO_VBS]

For JScript

ClrDumper.exe -jscript [PATH_TO_JS]

For Powershell

ClrDumper.exe -powershell [PATH_TO_JS]

For Executables which host vbscript/jscript/powershell

ClrDumper.exe -jscript [PATH_TO_EXE]
ClrDumper.exe -vbscript [PATH_TO_EXE]
ClrDumper.exe -powershell [PATH_TO_EXE]

ClrDumper injects HookClr.dll into the processes, please ensure the dll is in the same directory as ClrDumper.exe

Bypasses all debugger checks, obfuscation!

NOTE: THIS PROGRAM WILL RUN YOUR TARGER TO EXTRACT THE ASSEMBLY, USE AT YOUR OWN RISK