RustPatchlessCLRLoader: .NET assembly loader with patchless AMSI and ETW bypass
RustPatchlessCLRLoader
The RustPatchlessCLRLoader leverages a sophisticated integration of patchless techniques for bypassing both Event Tracing for Windows (ETW) and the Windows Antimalware Scan Interface (AMSI) across all threads with the goal of loading .NET assemblies dynamically by utilizing the clroxide Rust library. It provides a robust solution for executing managed code stealthily without modifying system artifacts or triggering security mechanisms.
Background
Leveraging hardware breakpoints for patchless bypass presents several strategic advantages in cybersecurity assessments. This method eschews the use of well-known APIs like VirtualProtect, which are often scrutinized by advanced security solutions, thereby reducing the likelihood of detection. Additionally, the utilization of hardware breakpoints eliminates the need for direct modifications to files. Such alterations are typically flagged by file integrity monitoring systems or Endpoint Detection and Response (EDR) technologies. As a result, employing hardware breakpoints enables a more covert operation, enhancing the stealth aspect of security maneuvers.
Payload Encryption
AV/EDR Testing Result on x64 Windows 10/11
The RustPatchlessCLRLoader has been tested with various antivirus products, such as loading the “Seatbelt” assembly without triggering any detection. It is important to note that while this loader effectively bypasses AMSI and ETW without detection, engaging in overtly malicious activities – such as using SharpKatz for password dumping, may activate behavioral detection mechanisms.
