← maldev README · docs/index
In-process loaders that execute foreign code (BOFs, .NET assemblies)
without spawning child processes. The implant becomes its own
post-exploitation runtime — useful when child-process creation is
heavily monitored.
Package Tech page Detection One-liner
runtime/bofbof-loader.md quiet Beacon Object File / COFF loader for in-memory x64 object-file execution runtime/clrclr.md moderate In-process .NET CLR hosting via ICLRMetaHost / ICorRuntimeHost
You want to… Use
…run a small custom C-compiled gadget without dropping an EXE runtime/bof…run a .NET assembly (Mimikatz, Seatbelt, SharpHound) in-process runtime/clr…drop a managed assembly to disk and run it not this area — see Donut via pe/srdi
T-ID Name Packages D3FEND counter
T1059 Command and Scripting Interpreter runtime/bof (in-process gadget runtime)D3-PSA T1620 Reflective Code Loading runtime/clrD3-PMA, D3-PSA