How does the Boolang-based shellcode execution technique work in practice?

The technique uses a C# or PowerShell wrapper that loads the Boolang compiler DLLs via reflection. The Boolang script contains shellcode and injection functions (e.g., QueueUserAPC, CreateThread). At runtime, the wrapper compiles the script in memory and invokes the injection method, such as injecting into explorer.exe. This approach avoids dropping executables and can be launched from a single PowerShell script, as shown in the BooLang exploit analysis.