[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-78190":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":15,"stars7d":16,"stars30d":17,"stars90d":15,"forks30d":15,"starsTrendScore":15,"compositeScore":18,"rankGlobal":10,"rankLanguage":10,"license":10,"archived":19,"fork":19,"defaultBranch":20,"hasWiki":21,"hasPages":19,"topics":22,"createdAt":10,"pushedAt":10,"updatedAt":32,"readmeContent":33,"aiSummary":34,"trendingCount":15,"starSnapshotCount":15,"syncStatus":35,"lastSyncTime":36,"discoverSource":37},78190,"CLR-Stomp","nettitude\u002FCLR-Stomp","nettitude",".NET CLR-Stomping","",null,"C",143,21,25,0,8,94,4.03,false,"main",true,[23,24,25,26,27,28,29,30,31],"beacon","beacon-object-file","bof","cobalt-strike","execute-assembly","red-team","red-team-tools","redteam","redteaming","2026-06-12 02:03:46","# CLR-Stomp\n\nA Beacon Object File (BOF) that loads a .NET assembly into a Cobalt Strike or compatible beacon via CLR module stomping. The payload PE is written into a victim [GAC](https:\u002F\u002Flearn.microsoft.com\u002Fen-us\u002Fdotnet\u002Fframework\u002Fapp-domains\u002Fgac) assembly's file-backed mapping so that ETW reports a legitimate on-disk path.\n\n## Project lineage\n\nThis BOF is based on the ideas and scaffolding from [Being-A-Good-CLR-Host](https:\u002F\u002Fgithub.com\u002Fpassthehashbrowns\u002FBeing-A-Good-CLR-Host) and [InlineExecute-Assembly](https:\u002F\u002Fgithub.com\u002Fanthemtotheego\u002FInlineExecute-Assembly).\n\n`Being-A-Good-CLR-Host` provided the proof of concept for using `Load_2` together with a custom `IHostMemoryManager` to influence how assemblies are mapped. \n\n`InlineExecute-Assembly` provided the BOF-oriented execution model and the stdout capture pattern used to get managed output back to the operator.\n\nThis version expands on those pieces by letting the CLR map a real GAC assembly, overwrite that with the payload before metadata parsing, and keeps the resulting managed assembly tied to the victim's disk identity. \n\nThis is  not the first public mention of .NET assembly stomping as a tradecraft idea. Nighthawk C2's [0.2.1 \"Haunting Blue\"](https:\u002F\u002Fnighthawkc2.io\u002Fhaunting-blue\u002F) describe support for a similar .NET stomping feature.\n\nThis project is an independent BOF-focused implementation of that general idea.\n\n## How it works\n\nThe BOF lets the CLR resolve and map a real assembly from the GAC and then swaps the mapped image with the payload before the CLR has a chance to read the .NET metadata. The CLR records the victim assembly's real disk path first. Afterwards, when the file-backed image mapping exists but has not yet been parsed, the custom memory manager overwrites that mapping with the payload's PE headers and sections. From the CLR's point of view, the bind still belongs to the GAC assembly, but the executed code comes from the supplied payload.\n\n\n### Hosting the CLR\n\nThe BOF creates the CLR using `CLRCreateInstance` for an `ICLRMetaHost` and then obtains two host interfaces from the same runtime:\n\n- `ICLRRuntimeHost`, used before `Start()` so the BOF can call `SetHostControl()` and register its custom managers.\n- `ICorRuntimeHost`, used after startup to get the default `AppDomain`, load the assembly, and invoke its entry point through reflection.\n\n\nBefore the CLR starts, the BOF gives it a custom `IHostControl`. When the CLR asks that object for managers, it returns:\n\n- `IHostMemoryManager`, which lets the BOF see virtual memory activity made by the CLR. The `AcquiredVirtualAddressSpace` callback is where the mapped victim image is overwritten.\n\n\n### Environment variables\n\nTwo environment variables are set before the CLR is created:\n\n```c\nSetEnvironmentVariableA(\"COMPLUS_ZapDisable\", \"1\");\nSetEnvironmentVariableA(\"COMPLUS_AllowStrongNameBypass\", \"1\");\n```\n\n`COMPLUS_ZapDisable=1` keeps the CLR from using NGen native images. That matters because NGen loads do not go through the same host callbacks, so the stomp point may never be reached.\n\n`COMPLUS_AllowStrongNameBypass=1` avoids strong-name re-verification after the image has been replaced. The victim identity still belongs to the GAC assembly, but the mapped bytes no longer match that assembly's strong name.\n\n\n### Controlling the assembly bind\n\nThe BOF calls `Load_2` with the name of a legitimate .NET assembly that we provide via the CNA and is already present in the GAC.\n\nFor CLR v4 by default it will use:\n\n```text\nSystem.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089, processorarchitecture=msil\n```\n\nFor CLR v2 by default it will use:\n\n```text\nSystem.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a\n```\n\nThe CLR performs a normal GAC lookup, opens the real DLL from disk, and maps it into memory as an executable image (SEC_IMAGE).\n\nOnce the image has been mapped into memory :\n\n1. AcquiredVirtualAddressSpace(base, size) is triggered\n2. BOF overwrites the mapped image with the payload. Sections are copied to their VirtualAddress and Memory protections are updated section-by-section\n3. CLR reads metadata from the overwritten image\n4. Load_2 returns the payload assembly\n\n\nThe CLR then continues normally believing it loaded the original GAC assembly although properties like CodeBase and Location still point to the legitimate GAC DLL path. \n\nBecause the assembly is loaded by strong-name identity rather than from a raw byte array, AMSI's managed assembly scan is never presented with the payload bytes. \n\nETW CLR loader events record the victim's GAC path as the module source, so telemetry sees a legitimate assembly load rather than an in-memory one.\n\n\n\nThen its a matter of invoking the assembly entry point via reflection with `Invoke_3`.\n\nFor capturing output, a redirect of stdout to a named pipe is happening.\n\n## Running\n\nLoad `clr-stomp.cna`.\n\n### Arguments\n\n| Argument | Required | Description |\n|----------|----------|-------------|\n| `--dotnetassembly \u003Cpath>` | Yes | Path to the .NET payload assembly (.exe) |\n| `--assemblyargs \"\u003Cargs>\"` | No | Arguments passed to the payload's `Main()`. Quote multi-word values. |\n| `--appdomain \u003Cname>` | No | AppDomain friendly name (default: `CLRStomp`) |\n| `--victim-full \"\u003Cidentity>\"` | No | Full GAC identity for the victim assembly. Defaults to `System.ServiceModel` (CLR v4) or `System.Drawing` (CLR v2) based on the payload's CLR version. |\n\nThe pipe name is generated randomly per invocation and does not need to be specified.\n\n### Examples\n\nBasic execution:\n```\nclr-stomp --dotnetassembly \u002Fopt\u002Ftools\u002FSeatbelt.exe\n```\n\nWith arguments:\n```\nclr-stomp --dotnetassembly \u002Fopt\u002Ftools\u002FSeatbelt.exe --assemblyargs \"OSInfo AntiVirus\"\n```\n\nCustom victim and AppDomain:\n```\nclr-stomp --dotnetassembly \u002Fopt\u002Ftools\u002FRubeus.exe --assemblyargs \"triage\" --appdomain MyDomain --victim-full \"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089, processorarchitecture=msil\"\n```\n\n## Detection and IOCs\n\nA number of useful IOCs exist and are documented below:\n\n| IOC | Where | Notes |\n|-----|-------|-------|\n| `COMPLUS_ZapDisable=1` | Process environment | Set before CLR initialization to force the MSIL load path. |\n| `COMPLUS_AllowStrongNameBypass=1` | Process environment | Set before CLR initialization to avoid strong-name re-verification after stomping. |\n| `Local\\CLRBofState_v6_\u003Cpid>` | Named file mapping | Persists CLR host state across BOF invocations in the same process. PID suffix isolates each process's state. |\n| `\\\\.\\pipe\\clr????????` | Named pipe pattern | The CNA generates pipe names with `clr` plus 8 lowercase alphanumeric characters.  |\n| `CLRStomp_clr????????` | AppDomain name | Built as `\u003CappDomainName>_\u003CpipeName>` at runtime. Default base is `CLRStomp`; pipe suffix matches the pipe name IOC above. |\n| `System.Drawing, Version=2.0.0.0, ...` \u002F `System.ServiceModel, Version=4.0.0.0, ...` | Victim identity | Default full identity chosen from the payload CLR version. |\n| `[*] Initialising CLR` \u002F `[+] Load_2 succeeded (stomped)` \u002F `[*] Resolving entry point` \u002F `[*] Invoking entry point` | Beacon output | Distinctive status strings emitted by the BOF. |\n| `PE-mapped payload into victim` \u002F `Stomp did not fire` | BOF output \u002F memory strings | Useful strings for memory or console telemetry when available. |\n\n\nHowever, the strongest detections should correlate behavior instead of relying on a single string.\n\n- Native or normally unmanaged processes loading `mscoree.dll`, `clr.dll`, or `mscorwks.dll`\n- A GAC assembly load where the recorded module path is legitimate, but the in-memory image no longer matches the backing file on disk. \n\n\n## AI Usage\n\nThis research and development effort was conducted collaboratively between a human and AI-assisted tooling, using the AI models GPT-5.5 and Claude Sonnet 4.6.\n\nThe AI models were used to assist with code generation and  reverse engineering support. \n\nHowever, all research direction, validation, debugging, testing, security analysis, and final technical decisions were performed by a human ([Imdefinelyhuman](https:\u002F\u002Fwww.imdefinitelyhuman.com\u002F)).\n\nAll generated content, code, and analysis were reviewed, validated, modified, and integrated manually as part of an iterative human-guided workflow.\n\nThe above statement is a fancy way of also saying that the code has bugs and use it at your own risk!\n\n## References & Credits\n\n\n* [passthehashbrowns\u002FBeing-A-Good-CLR-Host](https:\u002F\u002Fgithub.com\u002Fpassthehashbrowns\u002FBeing-A-Good-CLR-Host)\n* [anthemtotheego\u002FInlineExecute-Assembly](https:\u002F\u002Fgithub.com\u002Fanthemtotheego\u002FInlineExecute-Assembly)\n* [etormadiv\u002FHostingCLR](https:\u002F\u002Fgithub.com\u002Fetormadiv\u002FHostingCLR)\n* [ldematte\u002FHostedPumpkin](https:\u002F\u002Fgithub.com\u002Fldematte\u002FHostedPumpkin) \n* [TheWover\u002Fdonut](https:\u002F\u002Fgithub.com\u002FTheWover\u002Fdonut) \n* [TrustedSec\u002FCOFFLoader](https:\u002F\u002Fgithub.com\u002Ftrustedsec\u002FCOFFLoader)\n* [Dealing with Failure - SpecterOps](https:\u002F\u002Fposts.specterops.io\u002Fdealing-with-failure-failure-escalation-policy-in-clr-hosts-54ca8b728faa)\n\n\nLefteris (Lefty) Panos @ LRQA Red Team 2026","CLR-Stomp 是一个用于将 .NET 程序集加载到 Cobalt Strike 或兼容信标中的 Beacon Object File (BOF) 项目。其核心功能是通过 CLR 模块替换技术，将载荷 PE 文件写入受害者的全局程序集缓存 (GAC) 组件的文件映射中，使得事件跟踪 (ETW) 报告合法的磁盘路径。该项目基于 `Being-A-Good-CLR-Host` 和 `InlineExecute-Assembly` 的理念和技术框架，允许在元数据解析前覆盖 GAC 组件，并保持管理程序集与受害者磁盘身份的关联。适合于红队测试场景，特别是需要绕过安全检测并执行恶意代码的情况。",2,"2026-06-11 03:56:33","CREATED_QUERY"]