• Stars
    star
    210
  • Rank 187,585 (Top 4 %)
  • Language
    Go
  • License
    Do What The F*ck ...
  • Created over 4 years ago
  • Updated about 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A PoC package for hosting the CLR and executing .NET from Go

go-clr

GoDoc

This is my PoC code for hosting the CLR in a Go process and using it to execute a DLL from disk or an assembly from memory.

It's written in pure Go by just wrapping the needed syscalls and making use of a lot of unsafe.Pointers to load structs from memory.

For more info and references, see this blog post.

This was was a fun project and proof of concept, but the code is definitely not "production ready". It makes heavy use of unsafe and it's probably very unstable. I don't plan on supporting it much moving forward, but I wanted to share the code and knowledge to enable others to either contribute, or fork and make their own awesome tools.

Installation and Usage

go-clr is intended to be used as a package in other scripts. Install it with:

go get github.com/ropnop/go-clr

Take a look at the examples folder for some examples on how to leverage it. The package exposes all the structs and methods necessary to customize, but it also includes two "magic" functions to execute .NET from Go: ExecuteDLLFromDisk and ExecuteByteArray. Here's a quick example of using both:

package main

import (
	clr "github.com/ropnop/go-clr"
	"log"
	"fmt"
	"io/ioutil"
	"runtime"
)

func main() {
	fmt.Println("[+] Loading DLL from Disk")
	ret, err := clr.ExecuteDLLFromDisk(
		"TestDLL.dll",
		"TestDLL.HelloWorld",
		"SayHello",
		"foobar")
	if err != nil {
		log.Fatal(err)
	}
	fmt.Printf("[+] DLL Return Code: %d\n", ret)

	
	fmt.Println("[+] Executing EXE from memory")
	exebytes, err := ioutil.ReadFile("helloworld.exe")
	if err != nil {
		log.Fatal(err)
	}
	runtime.KeepAlive(exebytes)

	ret2, err := clr.ExecuteByteArray(exebytes)
	if err != nil {
		log.Fatal(err)
	}
	fmt.Printf("[+] EXE Return Code: %d\n", ret2)
}

The other 2 examples show the same technique but without the magic functions.

License

This project is licensed under the Do What the Fuck You Want to Public License. I deliberately chose this "joke" license because I really don't think anyone should be using this for anything serious, and I know some organizations forbid this license from being used in products (which is a good thing).