{"id":13539778,"url":"https://github.com/thewover/donut","last_synced_at":"2025-05-13T15:10:37.188Z","repository":{"id":37734197,"uuid":"178089499","full_name":"TheWover/donut","owner":"TheWover","description":"Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters","archived":false,"fork":false,"pushed_at":"2024-10-23T12:19:13.000Z","size":10224,"stargazers_count":3882,"open_issues_count":32,"forks_count":667,"subscribers_count":79,"default_branch":"master","last_synced_at":"2025-04-22T15:50:22.309Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/TheWover.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-03-27T23:24:44.000Z","updated_at":"2025-04-21T17:31:50.000Z","dependencies_parsed_at":"2024-01-12T03:36:26.486Z","dependency_job_id":"2356a96b-6020-485e-82e0-7afc6990f84e","html_url":"https://github.com/TheWover/donut","commit_stats":{"total_commits":453,"total_committers":23,"mean_commits":"19.695652173913043","dds":"0.36423841059602646","last_synced_commit":"61af8ccee3c2cafa743b2628654d1a2dafc66f3a"},"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TheWover%2Fdonut","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TheWover%2Fdonut/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TheWover%2Fdonut/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TheWover%2Fdonut/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/TheWover","download_url":"https://codeload.github.com/TheWover/donut/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253969248,"owners_count":21992263,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T09:01:31.829Z","updated_at":"2025-05-13T15:10:32.176Z","avatar_url":"https://github.com/TheWover.png","language":"C","funding_links":[],"categories":["\u003ca id=\"1233584261c0cd5224b6e90a98cc9a94\"\u003e\u003c/a\u003e渗透\u0026\u0026offensive\u0026\u0026渗透框架\u0026\u0026后渗透框架","\u003ca id=\"783f861b9f822127dba99acb55687cbb\"\u003e\u003c/a\u003e工具","\u003ca id=\"620af0d32e6ac1f4a3e97385d4d3efc0\"\u003e\u003c/a\u003ePE"],"sub_categories":["\u003ca id=\"80301821d0f5d8ec2dd3754ebb1b4b10\"\u003e\u003c/a\u003ePayload\u0026\u0026远控\u0026\u0026RAT","\u003ca id=\"ad92f6b801a18934f1971e2512f5ae4f\"\u003e\u003c/a\u003ePayload生成","\u003ca id=\"574db8bbaafbee72eeb30e28e2799458\"\u003e\u003c/a\u003e工具"],"readme":"[![Issues](https://img.shields.io/github/issues/thewover/donut)](https://github.com/TheWover/donut/issues)\n[![Contributors](https://img.shields.io/github/contributors/thewover/donut)](https://github.com/TheWover/donut/graphs/contributors)\n[![Stars](https://img.shields.io/github/stars/thewover/donut)](https://github.com/TheWover/donut/stargazers)\n[![Forks](https://img.shields.io/github/forks/thewover/donut)](https://github.com/TheWover/donut/network/members)\n[![License](https://img.shields.io/github/license/thewover/donut)](https://github.com/TheWover/donut/blob/master/LICENSE)\n[![Chat](https://img.shields.io/badge/chat-%23donut-orange)](https://bloodhoundgang.herokuapp.com/)\n[![Github All Releases](https://img.shields.io/github/downloads/thewover/donut/total.svg)](http://www.somsubhra.com/github-release-stats/?username=thewover\u0026repository=donut) \n[![Twitter URL](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?original_referer=https://github.com/TheWover/donut\u0026text=%23Donut+An+open-source+shellcode+generator+that+supports+in%2Dmemory+execution+of+VBS%2FJS%2FEXE%2FDLL+files:+https://github.com/TheWover/donut)\n\n![Alt text](https://github.com/TheWover/donut/blob/master/img/donut_logo_white.jpg?raw=true \"Donut Logo\")\n\n\u003cp\u003eCurrent version: \u003ca href=\"https://github.com/TheWover/donut/releases\"\u003ev1.1\u003c/a\u003e\u003c/p\u003e\n\n\u003ch2\u003eTable of contents\u003c/h2\u003e\n\n\u003col\u003e\n  \u003cli\u003e\u003ca href=\"#intro\"\u003eIntroduction\u003c/a\u003e\u003c/li\u003e\n  \u003cli\u003e\u003ca href=\"#how\"\u003eHow It Works\u003c/a\u003e\u003c/li\u003e\n  \u003cli\u003e\u003ca href=\"#build\"\u003eBuilding\u003c/a\u003e\u003c/li\u003e\n  \u003cli\u003e\u003ca href=\"#usage\"\u003eUsage\u003c/a\u003e\u003c/li\u003e\n  \u003cli\u003e\u003ca href=\"#subproj\"\u003eSubprojects\u003c/a\u003e\u003c/li\u003e\n  \u003cli\u003e\u003ca href=\"#dev\"\u003eDeveloping with Donut\u003c/a\u003e\u003c/li\u003e\n  \u003cli\u003e\u003ca href=\"#qad\"\u003eQuestions and Discussions\u003c/a\u003e\u003c/li\u003e\n  \u003cli\u003e\u003ca href=\"#disclaimer\"\u003eDisclaimer\u003c/a\u003e\u003c/li\u003e\n\u003c/ol\u003e\n\n\u003ch2 id=\"intro\"\u003e1. Introduction\u003c/h2\u003e\n\n\u003cp\u003e\u003cstrong\u003eDonut\u003c/strong\u003e is a position-independent code that enables in-memory execution of VBScript, JScript, EXE, DLL files and dotNET assemblies. A module created by Donut can either be staged from a HTTP server or embedded directly in the loader itself. The module is optionally encrypted using the \u003ca href=\"https://tinycrypt.wordpress.com/2017/02/20/asmcodes-chaskey-cipher/\"\u003eChaskey\u003c/a\u003e block cipher and a 128-bit randomly generated key. After the file is loaded and executed in memory, the original reference is erased to deter memory scanners. The generator and loader support the following features:\u003c/p\u003e\n\n\u003cul\u003e\n  \u003cli\u003eCompression of input files with aPLib and LZNT1, Xpress, Xpress Huffman via RtlCompressBuffer.\u003c/li\u003e \n  \u003cli\u003eUsing entropy for API hashes and generation of strings.\u003c/li\u003e \n  \u003cli\u003e128-bit symmetric encryption of files.\u003c/li\u003e\n  \u003cli\u003eOverwriting native PE headers.\u003c/li\u003e\n  \u003cli\u003eStoring native PEs in MEM_IMAGE memory.\u003c/li\u003e\n  \u003cli\u003ePatching Antimalware Scan Interface (AMSI) and Windows Lockdown Policy (WLDP).\u003c/li\u003e\n  \u003cli\u003ePatching Event Tracing for Windows (ETW).\u003c/li\u003e\n  \u003cli\u003ePatching command line for EXE files.\u003c/li\u003e\n  \u003cli\u003ePatching exit-related API to avoid termination of host process.\u003c/li\u003e\n  \u003cli\u003eMultiple output formats: C, Ruby, Python, PowerShell, Base64, C#, Hexadecimal, and UUID string.\u003c/li\u003e\n\u003c/ul\u003e\n\n\u003cp\u003eThere are dynamic and static libraries for both Linux and Windows that can be integrated into your own projects. There's also a python module which you can read more about in \u003ca href=\"https://github.com/TheWover/donut/blob/master/docs/2019-08-21-Python_Extension.md\"\u003eBuilding and using the Python extension.\u003c/a\u003e\u003c/p\u003e\n\n\u003ch2 id=\"how\"\u003e2. How It Works\u003c/h2\u003e\n\n\u003cp\u003eDonut contains individual loaders for each supported file type. For dotNET EXE/DLL assemblies, Donut uses the Unmanaged CLR Hosting API to load the Common Language Runtime. Once the CLR is loaded into the host process, a new Application Domain is created to allow for running Assemblies in disposable AppDomains. When the AppDomain is ready, the dotNET Assembly is loaded via the AppDomain.Load_3 method. Finally, the Entry Point for EXEs or public method for DLLs specified by the user is invoked with any additional parameters. Refer to MSDN for documentation on the \u003ca href=\" https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/hosting/clr-hosting-interfaces\"\u003eUnmanaged CLR Hosting API.\u003c/a\u003e For a standalone example of a CLR Host, refer to \u003ca href=\"https://github.com/TheWover/donut/blob/master/DonutTest/rundotnet.cpp\"\u003ecode here.\u003c/a\u003e\u003c/p\u003e\n\n\u003cp\u003eVBScript and JScript files are executed using the IActiveScript interface. There's also minimal support for some of the methods provided by the Windows Script Host (wscript/cscript). For a standalone example, refer to \u003ca href=\"https://gist.github.com/odzhan/d18145b9538a3653be2f9a580b53b063\"\u003ecode here.\u003c/a\u003e For a more detailed description, read: \u003ca href=\"https://modexp.wordpress.com/2019/07/21/inmem-exec-script/\"\u003eIn-Memory Execution of JavaScript, VBScript, JScript and XSL\u003c/a\u003e\u003c/p\u003e\n\n\u003cp\u003eUnmanaged or native EXE/DLL files are executed using a custom PE loader with support for Delayed Imports, TLS and patching the command line. Only files with relocation information are supported. Read \u003ca href=\"https://modexp.wordpress.com/2019/06/24/inmem-exec-dll/\"\u003eIn-Memory Execution of DLL\u003c/a\u003e for more information.\u003c/p\u003e\n\n\u003cp\u003eThe loader can disable AMSI and WLDP to help evade detection of malicious files executed in-memory. For more information, read \u003ca href=\"https://modexp.wordpress.com/2019/06/03/disable-amsi-wldp-dotnet/\"\u003eHow Red Teams Bypass AMSI and WLDP for .NET Dynamic Code\u003c/a\u003e. It also supports decompression of files in memory using aPLib or the RtlDecompressBuffer API. Read \u003ca href=\"https://modexp.wordpress.com/2019/12/08/shellcode-compression/\"\u003eData Compression\u003c/a\u003e for more information.\u003c/p\u003e\n\n\u003cp\u003eAs of v1.0, ETW is also bypassed. Like with AMSI/WLDP, this a modular system that allows you to swap out the default bypass with your own. The default bypass is derived from research by XPN. Read \u003ca href=\"https://blog.xpnsec.com/hiding-your-dotnet-etw/\"\u003eHiding your .NET - ETW\u003c/a\u003e for more information.\u003c/p\u003e\n\n\u003cp\u003eBy default, the loader will overwrite the PE headers of unmanaged PEs (from the base address to `IMAGE_OPTIONAL_HEADER.SizeOfHeaders`). If no decoy module is used (module overloading), then the PE headers will be zeroed. If a decoy module is used, the PE headers of the decoy module will be used to overwrite those of the payload module. This is to deter detection by comparing the PE headers of modules in memory with the file backing them on disk. The user may request that all PE headers be preserved in their original state. This is helpful for scenarios when the payload module needs to access its PE headers, such as when looking up embedded PE resources.\u003c/p\u003e\n\n\u003cp\u003eFor a detailed walkthrough using the generator and how Donut affects tradecraft, read \u003ca href=\"https://thewover.github.io/Introducing-Donut/\"\u003eDonut - Injecting .NET Assemblies as Shellcode\u003c/a\u003e. For more information about the loader, read \u003ca href=\"https://modexp.wordpress.com/2019/05/10/dotnet-loader-shellcode/\"\u003eLoading .NET Assemblies From Memory\u003c/a\u003e.\u003c/p\u003e\n\n\u003cp\u003eThose who wish to know more about the internals should refer to \u003ca href=\"https://github.com/TheWover/donut/blob/master/docs/devnotes.md\"\u003eDeveloper notes.\u003c/a\u003e\u003c/p\u003e\n\n\u003ch2 id=\"build\"\u003e3. Building\u003c/h2\u003e\n\n\u003cp\u003eThere are two types of build. If you want to debug Donut, please refer to \u003ca href=\"https://github.com/TheWover/donut/blob/master/docs/devnotes.md\"\u003edocumentation here\u003c/a\u003e. If not, continue reading for the release build.\u003c/p\u003e\n\n\u003ch3\u003e\u003cstrong\u003eClone\u003c/strong\u003e\u003c/h3\u003e\n\n\u003cp\u003eFrom a Windows command prompt or Linux terminal, clone the repository.\u003c/p\u003e\n\n\u003cpre\u003e \n  git clone http://github.com/thewover/donut.git\n\u003c/pre\u003e\n\n\u003cp\u003eThe next step depends on your operating system and what compiler you decide to use. Currently, the generator and loader template for Donut can be compiled successfully with both Microsoft Visual Studio 2019 and MingGW-64. To use the libraries in your own C/C++ project, please refer to the \u003ca href=\"https://github.com/TheWover/donut/tree/master/examples\"\u003eexamples provided here.\u003c/a\u003e\u003c/p\u003e\n\n\u003ch4\u003e\u003cstrong\u003eWindows\u003c/strong\u003e\u003c/h4\u003e\n\n\u003cp\u003eTo generate the loader template, dynamic library donut.dll, the static library donut.lib and the generator donut.exe. Start an x64 Microsoft Visual Studio Developer Command Prompt, change to the directory where you cloned the Donut repository and enter the following:\u003c/p\u003e\n\n\u003cpre\u003e\n  nmake -f Makefile.msvc\n\u003c/pre\u003e\n\n\u003cp\u003eTo do the same, except using MinGW-64 on Windows or Linux, change to the directory where you cloned the Donut repository and enter the following:\u003c/p\u003e\n\n\u003cpre\u003e\n  make -f Makefile.mingw\n\u003c/pre\u003e\n\n\u003ch4\u003e\u003cstrong\u003eLinux\u003c/strong\u003e\u003c/h4\u003e\n\n\u003cp\u003eTo generate the dynamic library donut.so, the static library donut.a and the generator donut. Change to the directory where you cloned the Donut repository and simply type make.\u003c/p\u003e\n\n\u003ch3\u003ePython Module\u003c/h3\u003e\n\n\u003cp\u003eDonut can be installed and used as a Python module. To install from source requires pip for Python3. First, ensure older versions of donut-shellcode are not installed by issuing the following command on Linux terminal or Microsoft Visual Studio command prompt.\u003c/p\u003e\n\n\u003cpre\u003e\n  pip3 uninstall donut-shellcode\n\u003c/pre\u003e\n\n\u003cp\u003eAfter you confirm older versions are no longer installed, issue the following command.\u003c/p\u003e\n\n\u003cpre\u003e\n  pip3 install .\n\u003c/pre\u003e\n\n\u003cp\u003eYou may also install Donut as a Python module by grabbing it from the PyPi repository.\u003c/p\u003e\n\n\u003cpre\u003e\n  pip3 install donut-shellcode\n\u003c/pre\u003e\n\n\u003cp\u003eFor more information, please refer to \u003ca href=\"https://github.com/TheWover/donut/blob/master/docs/2019-08-21-Python_Extension.md\"\u003eBuilding and using the Python extension.\u003c/a\u003e\u003c/p\u003e\n\n\u003ch3\u003eDocker\u003c/h3\u003e\n\n\u003cp\u003eBuilding the docker container.\u003c/p\u003e\n\n\u003cpre\u003e\n  docker build -t donut .\n\u003c/pre\u003e\n\n\u003cp\u003eRunning donut.\u003c/p\u003e\n\n\u003cpre\u003e\n  docker run -it --rm -v \"${PWD}:/workdir\" donut -h\n\u003c/pre\u003e\n\n\u003ch3\u003eSupport Tools\u003c/h3\u003e\n\n\u003cp\u003eDonut includes several other executables that may be built separately. This include \"hash.exe\", \"encrypt.exe\",\"inject.exe\", and \"inject_local.exe\". The first two are used in shellcode generation. The latter two are provided to assist with testing donut shellcode. \"inject.exe\" will inject a raw binary file (loader.bin) into a process by its PID or process name. \"inject_local.exe\" will inject a raw binary file into its own process.\u003c/p\u003e\n\n\u003cp\u003eTo build these support executables separately you may use the MSVC makefile. For example, to build \"inject_local.exe\" to test your donut shellcode, you may run.\u003c/p\u003e\n\n\u003cpre\u003e\n  nmake inject_local -f Makefile.msvc\n\u003c/pre\u003e\n\n\u003ch3\u003eReleases\u003c/h3\u003e\n\n\u003cp\u003eTags have been provided for each release version of Donut that contain the compiled executables.\u003c/p\u003e\n\n\u003cul\u003e\n  \u003cli\u003e\u003ca href=\"https://github.com/TheWover/donut/releases/tag/v0.9.3\"\u003ev0.9.3, TBD\u003c/a\u003e\u003c/li\u003e\n  \u003cli\u003e\u003ca href=\"https://github.com/TheWover/donut/releases/tag/v0.9.2\"\u003ev0.9.2, Bear Claw\u003c/a\u003e\u003c/li\u003e\n  \u003cli\u003e\u003ca href=\"https://github.com/TheWover/donut/releases/tag/v0.9.1\"\u003ev0.9.1, Apple Fritter\u003c/a\u003e\u003c/li\u003e\n  \u003cli\u003e\u003ca href=\"https://github.com/TheWover/donut/releases/tag/v0.9\"\u003ev0.9.0, Initial Release\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\n\u003cp\u003eCurrently, there are two other generators available.\u003c/p\u003e\n\n\u003cul\u003e\n  \u003cli\u003e\u003ca href=\"https://github.com/n1xbyte/donutCS\"\u003eC# generator by n1xbyte\u003c/a\u003e\u003c/li\u003e\n  \u003cli\u003e\u003ca href=\"https://github.com/Binject/go-donut\"\u003eGo generator by awgh\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\n\u003ch2 id=\"usage\"\u003e4. Usage\u003c/h2\u003e\n\n\u003cp\u003eThe following table lists switches supported by the command line version of the generator.\u003c/p\u003e\n\n\u003ctable border=\"1\"\u003e\n  \u003ctr\u003e\n    \u003cth\u003eSwitch\u003c/th\u003e\n    \u003cth\u003eArgument\u003c/th\u003e\n    \u003cth\u003eDescription\u003c/th\u003e\n  \u003c/tr\u003e\n  \n  \u003ctr\u003e\n    \u003ctd\u003e\u003cstrong\u003e-a\u003c/strong\u003e\u003c/td\u003e\n    \u003ctd\u003e\u003cvar\u003earch\u003c/var\u003e\u003c/td\u003e\n    \u003ctd\u003eTarget architecture for loader : 1=x86, 2=amd64, 3=x86+amd64(default).\u003c/td\u003e\n  \u003c/tr\u003e\n  \n  \u003ctr\u003e\n    \u003ctd\u003e\u003cstrong\u003e-b\u003c/strong\u003e\u003c/td\u003e\n    \u003ctd\u003e\u003cvar\u003elevel\u003c/var\u003e\u003c/td\u003e\n    \u003ctd\u003eBehavior for bypassing AMSI/WLDP : 1=None, 2=Abort on fail, 3=Continue on fail.(default)\u003c/td\u003e\n  \u003c/tr\u003e\n\n  \u003ctr\u003e\n    \u003ctd\u003e\u003cstrong\u003e-k\u003c/strong\u003e\u003c/td\u003e\n    \u003ctd\u003e\u003cvar\u003eheaders\u003c/var\u003e\u003c/td\u003e\n    \u003ctd\u003ePreserve PE headers. 1=Overwrite (default), 2=Keep all\u003c/td\u003e\n  \u003c/tr\u003e\n\n  \u003ctr\u003e\n    \u003ctd\u003e\u003cstrong\u003e-j\u003c/strong\u003e\u003c/td\u003e\n    \u003ctd\u003e\u003cvar\u003edecoy\u003c/var\u003e\u003c/td\u003e\n    \u003ctd\u003eOptional path of decoy module for Module Overloading.\u003c/td\u003e\n  \u003c/tr\u003e\n  \n  \u003ctr\u003e\n    \u003ctd\u003e\u003cstrong\u003e-c\u003c/strong\u003e\u003c/td\u003e\n    \u003ctd\u003e\u003cvar\u003eclass\u003c/var\u003e\u003c/td\u003e\n    \u003ctd\u003eOptional class name. (required for .NET DLL) Can also include namespace: e.g \u003cem\u003enamespace.class\u003c/em\u003e\u003c/td\u003e\n  \u003c/tr\u003e  \n  \n  \u003ctr\u003e\n    \u003ctd\u003e\u003cstrong\u003e-d\u003c/strong\u003e\u003c/td\u003e\n    \u003ctd\u003e\u003cvar\u003ename\u003c/var\u003e\u003c/td\u003e\n    \u003ctd\u003eAppDomain name to create for .NET. If entropy is enabled, one will be generated randomly.\u003c/td\u003e\n  \u003c/tr\u003e  \n\n  \u003ctr\u003e\n    \u003ctd\u003e\u003cstrong\u003e-e\u003c/strong\u003e\u003c/td\u003e\n    \u003ctd\u003e\u003cvar\u003elevel\u003c/var\u003e\u003c/td\u003e\n    \u003ctd\u003eEntropy level. 1=None, 2=Generate random names, 3=Generate random names + use symmetric encryption (default)\u003c/td\u003e\n  \u003c/tr\u003e\n  \n  \u003ctr\u003e\n    \u003ctd\u003e\u003cstrong\u003e-f\u003c/strong\u003e\u003c/td\u003e\n    \u003ctd\u003e\u003cvar\u003eformat\u003c/var\u003e\u003c/td\u003e\n    \u003ctd\u003eThe output format of loader saved to file. 1=Binary (default), 2=Base64, 3=C, 4=Ruby, 5=Python, 6=PowerShell, 7=C#, 8=Hexadecimal\u003c/td\u003e\n  \u003c/tr\u003e\n  \n  \u003ctr\u003e\n    \u003ctd\u003e\u003cstrong\u003e-m\u003c/strong\u003e\u003c/td\u003e\n    \u003ctd\u003e\u003cvar\u003ename\u003c/var\u003e\u003c/td\u003e\n    \u003ctd\u003eOptional method or function for DLL. (a method is required for .NET DLL)\u003c/td\u003e\n  \u003c/tr\u003e\n  \n  \u003ctr\u003e\n    \u003ctd\u003e\u003cstrong\u003e-n\u003c/strong\u003e\u003c/td\u003e\n    \u003ctd\u003e\u003cvar\u003ename\u003c/var\u003e\u003c/td\u003e\n    \u003ctd\u003eModule name for HTTP staging. If entropy is enabled, one is generated randomly.\u003c/td\u003e\n  \u003c/tr\u003e\n  \n  \u003ctr\u003e\n    \u003ctd\u003e\u003cstrong\u003e-o\u003c/strong\u003e\u003c/td\u003e\n    \u003ctd\u003e\u003cvar\u003epath\u003c/var\u003e\u003c/td\u003e\n    \u003ctd\u003eSpecifies where Donut should save the loader. Default is \"loader.bin\" in the current directory.\u003c/td\u003e\n  \u003c/tr\u003e\n\n  \u003ctr\u003e\n    \u003ctd\u003e\u003cstrong\u003e-p\u003c/strong\u003e\u003c/td\u003e\n    \u003ctd\u003e\u003cvar\u003eparameters\u003c/var\u003e\u003c/td\u003e\n    \u003ctd\u003eOptional parameters/command line inside quotations for DLL method/function or EXE.\u003c/td\u003e\n  \u003c/tr\u003e\n  \n  \u003ctr\u003e\n    \u003ctd\u003e\u003cstrong\u003e-r\u003c/strong\u003e\u003c/td\u003e\n    \u003ctd\u003e\u003cvar\u003eversion\u003c/var\u003e\u003c/td\u003e\n    \u003ctd\u003eCLR runtime version. MetaHeader used by default or v4.0.30319 if none available.\u003c/td\u003e\n  \u003c/tr\u003e\n  \n  \u003ctr\u003e\n    \u003ctd\u003e\u003cstrong\u003e-s\u003c/strong\u003e\u003c/td\u003e\n    \u003ctd\u003e\u003cvar\u003eserver\u003c/var\u003e\u003c/td\u003e\n    \u003ctd\u003eURL for the HTTP server that will host a Donut module. Credentials may be provided in the following format: \u003cpre\u003ehttps://username:password@192.168.0.1/\u003c/pre\u003e\u003c/td\u003e\n  \u003c/tr\u003e\n\n  \u003ctr\u003e\n    \u003ctd\u003e\u003cstrong\u003e-t\u003c/strong\u003e\u003c/td\u003e\n    \u003ctd\u003e\u003c/td\u003e\n    \u003ctd\u003eRun the entrypoint of an unmanaged/native EXE as a thread and wait for thread to end.\u003c/td\u003e\n  \u003c/tr\u003e\n  \n  \u003ctr\u003e\n    \u003ctd\u003e\u003cstrong\u003e-w\u003c/strong\u003e\u003c/td\u003e\n    \u003ctd\u003e\u003c/td\u003e\n    \u003ctd\u003eCommand line is passed to unmanaged DLL function in UNICODE format. (default is ANSI)\u003c/td\u003e\n  \u003c/tr\u003e\n  \n  \u003ctr\u003e\n    \u003ctd\u003e\u003cstrong\u003e-x\u003c/strong\u003e\u003c/td\u003e\n    \u003ctd\u003e\u003cvar\u003eoption\u003c/var\u003e\u003c/td\u003e\n    \u003ctd\u003eDetermines how the loader should exit. 1=exit thread (default), 2=exit process, 3=Do not exit or cleanup and block indefinitely\u003c/td\u003e\n  \u003c/tr\u003e\n\n  \u003ctr\u003e\n    \u003ctd\u003e\u003cstrong\u003e-y\u003c/strong\u003e\u003c/td\u003e\n    \u003ctd\u003e\u003cvar\u003eaddr\u003c/var\u003e\u003c/td\u003e\n    \u003ctd\u003eCreates a new thread for the loader and continues execution at an address that is an offset relative to the host process's executable. The value provided is the offset. This option supports loaders that wish to resume execution of the host process after donut completes execution.\u003c/td\u003e\n  \u003c/tr\u003e\n\n  \u003ctr\u003e\n    \u003ctd\u003e\u003cstrong\u003e-z\u003c/strong\u003e\u003c/td\u003e\n    \u003ctd\u003e\u003cvar\u003eengine\u003c/var\u003e\u003c/td\u003e\n    \u003ctd\u003ePack/Compress the input file. 1=None, 2=aPLib, 3=LZNT1, 4=Xpress, 5=Xpress Huffman. Currently, the last three are only supported on Windows.\u003c/td\u003e\n  \u003c/tr\u003e\n\u003c/table\u003e\n\n\u003ch3 id=\"requirements\"\u003ePayload Requirements\u003c/h2\u003e\n\n\u003cp\u003eThere are some specific requirements that your payload must meet in order for Donut to successfully load it.\u003c/p\u003e\n\n\u003ch3 id=\"requirements-dotnet\"\u003e.NET Assemblies\u003c/h2\u003e\n\n\u003cul\u003e\n  \u003cli\u003eThe entry point method must only take strings as arguments, or take no arguments.\u003c/li\u003e\n  \u003cli\u003eThe entry point method must be marked as public and static.\u003c/li\u003e\n  \u003cli\u003eThe class containing the entry point method must be marked as public.\u003c/li\u003e\n  \u003cli\u003eThe Assembly must NOT be a Mixed Assembly (contain both managed and native code).\u003c/li\u003e\n  \u003cli\u003eAs such, the Assembly must NOT contain any Unmanaged Exports.\u003c/li\u003e\n\u003c/ul\u003e\n\n\u003ch3 id=\"requirements-native\"\u003eNative EXE/DLL\u003c/h2\u003e\n\n\u003cul\u003e\n  \u003cli\u003eBinaries built with Cygwin are unsupported.\u003c/li\u003e\n\u003c/ul\u003e\n\n\u003cp\u003eCygwin executables use initialization routines that expect the host process to be running from disk. If executing from memory, the host process will likely crash.\u003c/p\u003e\n\n\u003ch3 id=\"requirements-dotnet\"\u003eUnmanaged DLLs\u003c/h2\u003e\n\n\u003cul\u003e\n  \u003cli\u003eA user-specified entry point method must only take a string as an argument, or take no arguments. We have provided an \u003ca href=\"https://github.com/TheWover/donut/blob/master/DonutTest/dlltest.c/\"\u003eexample\u003c/a\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n\n\u003ch2 id=\"subproj\"\u003e5. Subprojects\u003c/h2\u003e\n\n\u003cp\u003eThere are four companion projects provided with donut:\u003c/p\u003e\n\n\u003ctable border=\"1\"\u003e\n  \u003ctr\u003e\n    \u003cth\u003eTool\u003c/th\u003e\n    \u003cth\u003eDescription\u003c/th\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd\u003eDemoCreateProcess\u003c/td\u003e\n    \u003ctd\u003eA sample .NET Assembly to use in testing. Takes two command-line parameters that each specify a program to execute.\u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd\u003eDonutTest\u003c/td\u003e\n    \u003ctd\u003eA simple C# shellcode injector to use in testing donut. The shellcode must be base64 encoded and copied in as a string.\u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd\u003eModuleMonitor\u003c/td\u003e\n    \u003ctd\u003eA proof-of-concept tool that detects CLR injection as it is done by tools such as Donut and Cobalt Strike's execute-assembly.\u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd\u003eProcessManager\u003c/td\u003e\n    \u003ctd\u003eA Process Discovery tool that offensive operators may use to determine what to inject into and defensive operators may use to determine what is running, what properties those processes have, and whether or not they have the CLR loaded. \u003c/td\u003e\n  \u003c/tr\u003e\n\u003c/table\u003e\n\n\u003ch2 id=\"dev\"\u003e6. Developing with Donut\u003c/h2\u003e\n\n\u003cp\u003eYou may want to add support for more types of payloads, change our feature set, or integrate Donut into your existing tooling. We have provided \u003ca href=\"https://github.com/TheWover/donut/blob/master/docs/devnotes.md\"\u003edeveloper documentation\u003c/a\u003e. Additional features are left as exercises to the reader. Our suggestions:\u003c/p\u003e\n\n\u003cul\u003e\n  \u003cli\u003eAdd environmental keying.\u003c/li\u003e\n  \u003cli\u003eMake Donut polymorphic by obfuscating the loader every time shellcode is generated.\u003c/li\u003e\n  \u003cli\u003eIntegrate Donut as a module into your favorite RAT/C2 Framework.\u003c/li\u003e\n\u003c/ul\u003e\n\n\u003ch2 id=\"qad\"\u003e7. Questions and Discussion\u003c/h2\u003e\n\n\u003cp\u003eIf you have any questions or comments about Donut. Join the #Donut channel in the \u003ca href=\"https://bloodhoundgang.herokuapp.com/\"\u003eBloodHound Gang Slack\u003c/a\u003e\u003c/p\u003e\n\n\u003ch2 id=\"disclaimer\"\u003e8. Disclaimer\u003c/h2\u003e\n\n\u003cp\u003eWe are not responsible for any misuse of this software or technique. Donut is provided as a demonstration of CLR Injection and in-memory loading through shellcode in order to provide red teamers a way to emulate adversaries and defenders a frame of reference for building analytics and mitigations. This inevitably runs the risk of malware authors and threat actors misusing it. However, we believe that the net benefit outweighs the risk. Hopefully that is correct. In the event EDR or AV products are capable of detecting Donut via signatures or behavioral patterns, we will not update Donut to counter signatures or detection methods. To avoid being offended, please do not ask.\u003c/p\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthewover%2Fdonut","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fthewover%2Fdonut","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthewover%2Fdonut/lists"}