How does Donut load a .NET assembly from memory without relying on traditional DLL loading?

Donut uses the `ICLRMetaHost::GetRuntime` and `ICorRuntimeHost` interfaces to load the CLR directly from memory. It calls `Load_3(...)` on the raw byte array of the .NET assembly, bypassing the need for a file‑system DLL. It also attempts to disable AMSI and WLDP to avoid detection. This approach avoids writing to disk and uses manual definitions instead of `mscorlib.tlb`. For more on CLR injection, see Analysis of Exploitation Techniques for Loading .NET Assemblies from Memory.