Binary coregen.exe (Microsoft CoreCLR Native Image Generator) loads exported function GetCLRRuntimeHost from coreclr.dll or from .DLL in arbitrary path. Coregen is located within “C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0” or another version of Silverlight. Coregen is signed by Microsoft and bundled with Microsoft Silverlight.

Paths:

C:\Program Files\Microsoft Silverlight\5.1.50918.0\coregen.exe
C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe

Detection:

coregen.exe loading .dll file not in “C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0“ coregen.exe loading .dll file not named coreclr.dll coregen.exe command line containing -L or -l coregen.exe command line containing unexpected/invald assembly name coregen.exe application crash by invalid assembly name

Execute

Loads the target .DLL in arbitrary path specified with /L.

coregon.exe.exe /L C:\folder\evil.dll dummy_assembly_name

Loads the coreclr.dll in the corgen.exe directory (e.g. C:\Program Files\Microsoft Silverlight\5.1.50918.0).

coregen.exe dummy_assembly_name

AWL bypass

Loads the target .DLL in arbitrary path specified with /L. Since binary is signed it can also be used to bypass application whitelisting solutions.

coregen.exe /L C:\folder\evil.dll dummy_assembly_name