research poc
CLR-Unhook Tool Restores Original nLoadImage to Bypass EDR .NET Assembly ScanningCLR-Unhook
A new proof-of-concept tool named CLR-Unhook removes security product hooks from the nLoadImage function in clr.dll, restoring the original CLR behavior. This allows in-memory .NET assembly loads via Assembly.Load(byte[]) to execute without EDR inspection or scanning, bypassing products like CrowdStrike, Bitdefender, and SentinelOne.