finds.dev← search

// the find

byt3bl33d3r/OffensiveDLR

★ 528 · PowerShell · BSD-3-Clause · updated Jan 2022

Toolbox containing research notes & PoC code for weaponizing .NET's DLR

A research toolkit from 2018-2022 exploring how .NET's Dynamic Language Runtime can host embedded compilers (IronPython, Boolang, ClearScript, NeoLua) inside PowerShell or C# to execute arbitrary code without touching disk or invoking csc.exe. Aimed squarely at red teamers who want AMSI bypass and ScriptBlock Logging evasion through DLR indirection. This is offensive security tooling, not defensive.

The core insight is genuinely clever: embedding a full language runtime (IronPython, Boo) as a resource means your payload never hits the filesystem and ScriptBlock Logging only sees the loader, not the actual malicious code. The AppDomain.AssemblyResolve hook pattern in SharpSnek and runBooAssemblyResolve solves a real pain point — getting DLR dependencies to load without dropping files. Covers multiple DLR engines in one place, which makes it useful as a survey of the technique space rather than a single-trick tool. The conference talks from Derbycon 2018 are well-documented and explain the why, not just the how.

Abandoned in January 2022 — IronPython 2.7.9 is bundled, which is ancient (IronPython 3.4 exists), and the AMSI bypass angle has been heavily studied and partially countered since these techniques were novel. The Kukulkan C2 is a stripped-down toy: no documentation on operational setup, the PayloadServer is minimal Python with no auth hardening, and it targets .NET Framework, not .NET 5+. Anyone adopting this today would be starting from research notes, not a working tool — a lot of the opsec claims ('bypasses AMSI') need independent validation against current Windows Defender behavior.

View on GitHub →

// want more like this?

We dig through GitHub every week and send a few repos picked for what you actually care about — each with an honest take like this one.

Get finds in your inbox → Search again →