61 |
62 | | Keyword |
63 | Type |
64 | Description |
65 |
66 |
67 | | file |
68 | String |
69 | The path of file to execute in memory. VBS/JS/EXE/DLL files are supported. |
70 |
71 |
72 | | arch |
73 | Integer |
74 | Indicates the type of assembly code to generate. 1=DONUT_ARCH_X86 and 2=DONUT_ARCH_X64 are self-explanatory. 3=DONUT_ARCH_X84 indicates dual-mode that combines shellcode for both X86 and AMD64. ARM64 will be supported at some point. |
75 |
76 |
77 | | bypass |
78 | Integer |
79 | Specifies behaviour of the code responsible for bypassing AMSI and WLDP. The current options are 1=DONUT_BYPASS_NONE which indicates that no attempt be made to disable AMSI or WLDP. 2=DONUT_BYPASS_ABORT indicates that failure to disable should result in aborting execution of the module. 3=DONUT_BYPASS_CONTINUE indicates that even if AMSI/WDLP bypasses fail, the shellcode will continue with execution. |
80 |
81 |
82 | | compress |
83 | Integer |
84 | Indicates if the input file should be compressed. Available engines are 1=DONUT_COMPRESS_NONE, 2=DONUT_COMPRESS_APLIB to use the aPLib algorithm. For builds on Windows, the RtlCompressBuffer API is available and supports 3=DONUT_COMPRESS_LZNT1, 4=DONUT_COMPRESS_XPRESS and 5=DONUT_COMPRESS_XPRESS_HUFF. |
85 |
86 |
87 | | entropy |
88 | Integer |
89 | Indicates whether Donut should use entropy and/or encryption for the loader to help evade detection. Available options are 1=DONUT_ENTROPY_NONE, 2=DONUT_ENTROPY_RANDOM, which generates random strings and 3=DONUT_ENTROPY_DEFAULT that combines DONUT_ENTROPY_RANDOM with symmetric encryption. |
90 |
91 |
92 | | format |
93 | Integer |
94 | Specifies the output format for the shellcode loader. Supported formats are 1=DONUT_FORMAT_BINARY, 2=DONUT_FORMAT_BASE64, 3=DONUT_FORMAT_RUBY, 4=DONUT_FORMAT_C, 5=DONUT_FORMAT_PYTHON, 6=DONUT_FORMAT_POWERSHELL, 7=DONUT_FORMAT_CSHARP and 8=DONUT_FORMAT_HEX. On Windows, the base64 string is copied to the clipboard. |
95 |
96 |
97 | | exit_opt |
98 | Integer |
99 | When the shellcode ends, RtlExitUserThread is called, which is the default behaviour. Use 2=DONUT_OPT_EXIT_PROCESS to terminate the host process via the RtlExitUserProcess API. Use 3=DONUT_OPT_EXIT_BLOCK to not exit or cleanup and instead block indefinitely. |
100 |
101 |
102 | | thread |
103 | Integer |
104 | If the file is an unmanaged EXE, the loader will run the entrypoint as a thread. The loader also attempts to intercept calls to exit-related API stored in the Import Address Table by replacing those pointers with the address of the RtlExitUserThread API. However, hooking via IAT is generally unreliable and Donut may use code splicing / hooking in the future. |
105 |
106 |
107 | | oep |
108 | String |
109 | Tells the loader to create a new thread before continuing execution at the OEP provided by the user. Address should be in hexadecimal format. |
110 |
111 |
112 | | output |
113 | String |
114 | The path of where to save the shellcode/loader. Default is "loader.bin". |
115 |
116 |
117 | | runtime |
118 | String |
119 | The CLR runtime version to use for a .NET assembly. If none is provided, Donut will try reading from the PE's COM directory. If that fails, v4.0.30319 is used by default. |
120 |
121 |
122 | | appdomain |
123 | String |
124 | AppDomain name to create. If one is not specified by the caller, it will be generated randomly. If entropy is disabled, it will be set to "AAAAAAAA" |
125 |
126 |
127 | | cls |
128 | String |
129 | The class name with method to invoke. A namespace is optional. e.g: namespace.class |
130 |
131 |
132 | | method |
133 | String |
134 | The method that will be invoked by the shellcode once a .NET assembly is loaded into memory. This also holds the name of an exported API if the module is an unmanaged DLL. |
135 |
136 |
137 | | params |
138 | String |
139 | List of parameters for the .NET method or DLL function. For unmanaged EXE files, a 4-byte string is generated randomly to act as the module name. If entropy is disabled, this will be "AAAA" |
140 |
141 |
142 | | unicode |
143 | Integer |
144 | By default, the params string is passed to an unmanaged DLL function as-is, in ANSI format. If set, param is converted to UNICODE. |
145 |
146 |
147 | | url or server |
148 | String |
149 | If the instance type is DONUT_INSTANCE_HTTP, this should contain the server and path of where module will be stored. e.g: https://www.staging-server.com/modules/ |
150 |
151 |
152 | | modname |
153 | String |
154 | If the type is DONUT_INSTANCE_HTTP, this will contain the name of the module for where to save the contents of mod to disk. If none is provided by the user, it will be generated randomly. If entropy is disabled, it will be set to "AAAAAAAA" |
155 |
156 |
157 |
158 | ## Author
159 |
160 | The Python extension was written by [@byt3bl33d3r](https://twitter.com/byt3bl33d3r)
161 |
--------------------------------------------------------------------------------
/donutmodule.c:
--------------------------------------------------------------------------------
1 | /**
2 | BSD 3-Clause License
3 |
4 | Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
5 |
6 | Python C Extension by @byt3bl33d3r
7 |
8 | Redistribution and use in source and binary forms, with or without
9 | modification, are permitted provided that the following conditions are met:
10 |
11 | * Redistributions of source code must retain the above copyright notice, this
12 | list of conditions and the following disclaimer.
13 |
14 | * Redistributions in binary form must reproduce the above copyright notice,
15 | this list of conditions and the following disclaimer in the documentation
16 | and/or other materials provided with the distribution.
17 |
18 | * Neither the name of the copyright holder nor the names of its
19 | contributors may be used to endorse or promote products derived from
20 | this software without specific prior written permission.
21 |
22 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
23 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
25 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
26 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
28 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
29 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
30 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
31 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
32 | */
33 |
34 | #define PY_SSIZE_T_CLEAN
35 | #include