How does the CLR hosting API enable loading .NET assemblies from memory?

The CLR (Common Language Runtime) hosting API provides unmanaged interfaces like `ICorRuntimeHost` and `ICLRRuntimeHost` that allow native code to load and execute .NET assemblies within a process. By calling `CLRCreateInstance`, `GetRuntime`, and `GetInterface`, an attacker can start the CLR, then use `ExecuteInDefaultAppDomain` to run an assembly's static method directly from a byte array in memory. This technique is fundamental to in-memory attacks like those described in Implementation of In-Memory Loading for Seatbelt.