I mentioned above that trying to encrypt CLR memory allocations goes from “kind of unstable” to “very unstable”, depending on how exactly you do it. This is because if you encrypt or free a piece of memory that the CLR tries to reference later, the CLR will throw an error and crash your process. However, there is one exception to this that I have found: Allocations made during initial assembly loads.

When you load an assembly, whether that is in memory or from disk, the CLR will allocate space and map the assembly into memory. As far as I am aware, there was no good publicly known way to identify this memory region and wipe it, aside from searching process memory for byte patterns or allocations of the expected size. CLR customizations provide an easy mechanism to keep track of these allocations in the form of the AcquiredVirtualAddressSpace method. This method is a notification callback that gets triggered whenever the CLR loads an assembly into the process, and the callback includes the address and size of the allocation as arguments. From my testing, this callback is only triggered when an assembly is loaded into the process, which provides us with a good way to keep track of assembly load allocations. For robustness, you can check the size or parse memory to ensure that it’s the assembly you are expecting. Below is an example of implementing this method. Since it is just a notification callback, you can do whatever you would like and then simply return S_OK..