Skip to content

almounah/go-buena-clr

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

58 Commits
examples
examples
 
 
.gitignore
.gitignore
 
 
CHANGELOG.md
CHANGELOG.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
appdomain.go
appdomain.go
 
 
assembly.go
assembly.go
 
 
go-buena-clr.png
go-buena-clr.png
 
 
go-clr.go
go-clr.go
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
goodclr.go
goodclr.go
 
 
guids.go
guids.go
 
 
hresult.go
hresult.go
 
 
iclrassemblyidentitymanager.go
iclrassemblyidentitymanager.go
 
 
iclrassemblyreferencelist.go
iclrassemblyreferencelist.go
 
 
iclrmetahost.go
iclrmetahost.go
 
 
iclrruntimehost.go
iclrruntimehost.go
 
 
iclrruntimeinfo.go
iclrruntimeinfo.go
 
 
icorruntimehost.go
icorruntimehost.go
 
 
ienumunknown.go
ienumunknown.go
 
 
ierrorinfo.go
ierrorinfo.go
 
 
ihostassemblymanager.go
ihostassemblymanager.go
 
 
ihostassemblystore.go
ihostassemblystore.go
 
 
ihostcontrol.go
ihostcontrol.go
 
 
ihostmalloc.go
ihostmalloc.go
 
 
ihostmemorymanager.go
ihostmemorymanager.go
 
 
io.go
io.go
 
 
istream.go
istream.go
 
 
isupporterrorinfo.go
isupporterrorinfo.go
 
 
iunknown.go
iunknown.go
 
 
mem.go
mem.go
 
 
methodinfo.go
methodinfo.go
 
 
propertyinfo.go
propertyinfo.go
 
 
safearray.go
safearray.go
 
 
systemtype.go
systemtype.go
 
 
targetassembly.go
targetassembly.go
 
 
utils.go
utils.go
 
 
variant.go
variant.go
 
 

Repository files navigation

go-buena-clr

go-buena-clr

go-buena-clr CLR is the implementation in Go of Being a Good CLR Host by Joshua Magri from IBM X-Force Red.

It is built upon the go-clr project of Ne0nd0g, who in turn forked and maintained the original poc of go-clr by ropnop.

The purpose is to create our own IHostControl interface allowing us to implement the ProvideAssembly method. We can then use Load_2 method instead of Load_3, circumventing AMSI entirely.

Usage

Just import the package and use it !

import (
	clr "github.com/almounah/go-buena-clr"
)

//go:embed Rubeus.exe
var testNet []byte

func main() {
    params := []string{"triage"}

    // Load the Good CLR and get the identity string from the .Net
	pRuntimeHost, identityString, _ := clr.LoadGoodClr("v4.0.30319", testNet)

    // Load the Assembly via its identityString
	assembly := clr.Load2Assembly(pRuntimeHost, identityString)

    // Invoke the Assembly
	pMethodInfo, _ := assembly.GetEntryPoint()
	clr.InvokeAssembly(pMethodInfo, params)
}

Examples - Buena Village

Buena Village is a small POC project that showcase go-buena-clr in action. You can check examples/BuenaVillage/ for a README and the complete code.

Basically you do:

cd examples/BuenaVillage
go mod tidy
go run helper/helper.go -file=/home/kali/Desktop/Rubeus.exe && GOOS=windows GOARCH=amd64 go build

You will get a buenavillage.exe that you can use like Rubeus.exe whith native AMSI bypass without memory patching:

.\buenavillage.exe triage
.\buenavillage.exe -help

Motivation of Buena CLR

Basically we all noticed that a while ago, defender introduced behavioral rules to prevent AMSI memory patching.

Thanks to IBM X-Force Red, we got a patchless AMSI bypass that does not rely on the CPU like for Hardware Break Point !!

Contributions

All contributions are welcome :)

Side Story: Why the name go-buena-clr

In Mushoku Tensei buena village is the village where Rudeus Greyrat spent his childhood. As the name suggest, buena (good in spanish) village, was a good place for Rudeus to restart his life.

I named this project go-buena-clr as it is a good and warm CLR host for Rubeus.exe without AMSI, much like buena village was a good and warm place for Rudeus.

License

To continue ropnop legacy this project is still licensed under the Do What the Fuck You Want to Public License.

About

Good CLR Host with Native patchless AMSI Bypass

Topics

go clr redteam amsi amsi-bypass

Resources

Readme

License

WTFPL license
Activity

Stars

81 stars

Watchers

1 watching

Forks

9 forks
Report repository

Releases 1

Release v0.1.0 Latest
Apr 18, 2025

Packages

No packages published

Languages

  • Go 100.0%