Donut – Generates Shellcode from .NET Assemblies

Donut is a position-independent code that enables in-memory execution of VBScript, JScript, EXE, DLL files and dotNET assemblies. A module created by Donut can either be staged from a HTTP server or embedded directly in the loader itself. The module is optionally encrypted using the Chaskey block cipher and a 128-bit randomly generated key. After the file is loaded and executed in memory, the original reference is erased to deter memory scanners.

Donut - Generates Shellcode from  .NET Assemblies
Donut – Generates Shellcode from .NET Assemblies

Donut contains individual loaders for each supported file type. For dotNET EXE/DLL assemblies, Donut uses the Unmanaged CLR Hosting API to load the Common Language Runtime. Once the CLR is loaded into the host process, a new Application Domain is created to allow for running Assemblies in disposable AppDomains. When the AppDomain is ready, the dotNET Assembly is loaded via the AppDomain.Load_3 method. Finally, the Entry Point for EXEs or public method for DLLs specified by the user is invoked with any additional parameters.

The generator and loader support the following features:

  • Compression of input files with aPLib and LZNT1, Xpress, Xpress Huffman via RtlCompressBuffer.
  • Using entropy for API hashes and generation of strings.
  • 128-bit symmetric encryption of files.
  • Patching Antimalware Scan Interface (AMSI) and Windows Lockdown Policy (WLDP).
  • Patching command line for EXE files.
  • Patching exit-related API to avoid termination of host process.
  • Multiple output formats: C, Ruby, Python, PowerShell, Base64, C#, Hexadecimal.

There are dynamic and static libraries for both Linux and Windows that can be integrated into your own projects.

You can read more and download this tool over here:

Notify of
Inline Feedbacks
View all comments