// the find
byt3bl33d3r/OffensiveDLR
Toolbox containing research notes & PoC code for weaponizing .NET's DLR
A research toolkit from 2018-2022 exploring how .NET's Dynamic Language Runtime can host embedded compilers (IronPython, Boolang, ClearScript, NeoLua) inside PowerShell or C# to execute arbitrary code without touching disk or invoking csc.exe. Aimed squarely at red teamers who want AMSI bypass and ScriptBlock Logging evasion through DLR indirection. This is offensive security tooling, not defensive.
The core insight is genuinely clever: embedding a full language runtime (IronPython, Boo) as a resource means your payload never hits the filesystem and ScriptBlock Logging only sees the loader, not the actual malicious code. The AppDomain.AssemblyResolve hook pattern in SharpSnek and runBooAssemblyResolve solves a real pain point — getting DLR dependencies to load without dropping files. Covers multiple DLR engines in one place, which makes it useful as a survey of the technique space rather than a single-trick tool. The conference talks from Derbycon 2018 are well-documented and explain the why, not just the how.
Abandoned in January 2022 — IronPython 2.7.9 is bundled, which is ancient (IronPython 3.4 exists), and the AMSI bypass angle has been heavily studied and partially countered since these techniques were novel. The Kukulkan C2 is a stripped-down toy: no documentation on operational setup, the PayloadServer is minimal Python with no auth hardening, and it targets .NET Framework, not .NET 5+. Anyone adopting this today would be starting from research notes, not a working tool — a lot of the opsec claims ('bypasses AMSI') need independent validation against current Windows Defender behavior.