b1scoito/rust-clr-loader

CLR Loader implementation made in Rust

Rust CLR Loader

This is a native Rust implementation of the CLR hosting interfaces, in this case, only ICLRMetaHost, ICLRRuntimeInfo, ICLRRuntimeHost and CLRCreateInstance are imported.

This is Offensive Rust material, you could use this to inject managed code into an unmanaged process.

From Injecting .NET Assembly to an Unmanaged Process

At a high level, it works as follows:

• CLRCreateInstance is used to retrieve an interface ICLRMetaHost
• ICLRMetaHost->GetRuntime is used to retrieve ICLRRuntimeInfo interface for a specified CLR version
• ICLRRuntimeInfo->GetInterface is used to load the CLR into the current process and retrieve an interface ICLRRuntimeHost
• ICLRRuntimeHost->Start is used to initialize the CLR into the current process

At this point, managed shellcode can be injected into the CLR-loaded process and executed.

Compiling

cargo build --release

Credits

• Injecting .NET Assembly to an Unmanaged Process
• dnclr from ModelMod