Documentation
¶
Index ¶
- Constants
- Variables
- func AESEncryptCBC(key, iv, data []byte) ([]byte, error)
- func APIHash(dll, function string, iv uint64) uint64
- func BytesToUint32s(inbytes []byte) []uint32
- func Chaskey(masterKey []byte, data []byte) []byte
- func CompressAPLib(src []byte) []byte
- func CompressData(data []byte, engine int) ([]byte, error)
- func ConvertArch(arch DonutArch) int
- func Create(config *DonutConfig) ([]byte, error)
- func CreateFromBytes(data []byte, opts ...Option) ([]byte, error)
- func CreateFromFile(path string, opts ...Option) ([]byte, error)
- func CreateFromReader(r io.Reader, opts ...Option) ([]byte, error)
- func DecompressAPLib(src []byte) ([]byte, error)
- func DecompressData(data []byte, engine int, originalSize int) ([]byte, error)
- func DetectFileType(data []byte) (int, error)
- func DonutCreate(config *DonutConfig) error
- func DonutDelete(config *DonutConfig)
- func DonutError(code int) string
- func DownloadFile(url string) (*bytes.Buffer, error)
- func Encrypt(mk []byte, ctr []byte, data []byte) []byte
- func EncryptCTR(key, ctr, data []byte) []byte
- func FormatOutput(shellcode []byte, format int) ([]byte, error)
- func GenerateRandomBytes(count int) ([]byte, error)
- func GetFormatExtension(format int) string
- func GetLoaderForArch(arch, modType int) ([]byte, error)
- func HasExportedFunction(data []byte, funcName string) bool
- func Maru(input []byte, iv uint64) uint64
- func MaruStr(s string, iv uint64) uint64
- func PackUint32(v uint32) []byte
- func PackUint64(v uint64) []byte
- func PadBytes(data []byte, alignment int) []byte
- func ROTR32(v uint32, n uint) uint32
- func ROTR64(v uint64, n uint) uint64
- func RandomBytes(n int) ([]byte, error)
- func RandomString(length int) string
- func ReadPEFromReader(r io.Reader) ([]byte, error)
- func Sandwich(arch int, loader, instanceData []byte) []byte
- func SaveToFile(shellcode []byte, path string, format int) error
- func SetInstanceGUIDs(inst *DonutInstance)
- func SetScriptGUID(inst *DonutInstance, moduleType int)
- func ShellcodeFromBytes(buf *bytes.Buffer, config *DonutConfig) (*bytes.Buffer, error)
- func ShellcodeFromFile(inputFile string, config *DonutConfig) (*bytes.Buffer, error)
- func ShellcodeFromURL(fileURL string, config *DonutConfig) (*bytes.Buffer, error)
- func Speck(mk []byte, p uint64) uint64
- func ToUnicode(s string) []byte
- type DonutArch
- type DonutConfig
- type DonutCrypt
- type DonutInstance
- type DonutModule
- type FileInfo
- type GUID
- type ImageCor20Header
- type InstanceType
- type MDStorageSignature
- type ModuleType
- type Option
- func ArchX64() Option
- func ArchX86() Option
- func ExitBlock() Option
- func ExitProcess() Option
- func ExitThread() Option
- func NoBypass() Option
- func NoEncryption() Option
- func WithArch(arch DonutArch) Option
- func WithArgs(args string) Option
- func WithAuth(user, pass string) Option
- func WithBypass(bypass int) Option
- func WithClass(class string) Option
- func WithCompression(compress uint32) Option
- func WithDecoy(path string) Option
- func WithDomain(domain string) Option
- func WithEntropy(entropy int) Option
- func WithExitOption(exit int) Option
- func WithFormat(format uint32) Option
- func WithHeaders(keep bool) Option
- func WithMethod(method string) Option
- func WithOEP(oep uint32) Option
- func WithParameters(params string) Option
- func WithRuntime(runtime string) Option
- func WithServer(server string) Option
- func WithThread(thread bool) Option
- func WithUnicode(unicode bool) Option
- type PEInfo
Constants ¶
const ( MARU_BLK_LEN = 16 MARU_HASH_LEN = 8 MARU_IV_LEN = 8 MARU_MAX_STR = 64 SPECK_ROUNDS = 27 )
Maru hash constants
const ( IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR = 14 IMAGE_COR20_HEADER_SIZE = 72 )
PE constants
const ( DONUT_KEY_LEN = 16 DONUT_BLK_LEN = 16 )
Donut key/block lengths
const ( DONUT_ARCH_ANY = -1 // for vbs and js files DONUT_ARCH_X86 = 1 // x86 DONUT_ARCH_X64 = 2 // AMD64 DONUT_ARCH_X84 = 3 // x86 + AMD64 )
Target architecture
const ( DONUT_MODULE_NET_DLL = 1 // .NET DLL. Requires class and method DONUT_MODULE_NET_EXE = 2 // .NET EXE. Executes Main if no class and method provided DONUT_MODULE_DLL = 3 // Unmanaged DLL, function is optional DONUT_MODULE_EXE = 4 // Unmanaged EXE DONUT_MODULE_VBS = 5 // VBScript DONUT_MODULE_JS = 6 // JavaScript or JScript )
Module type
const ( DONUT_FORMAT_BINARY = 1 DONUT_FORMAT_BASE64 = 2 DONUT_FORMAT_C = 3 DONUT_FORMAT_RUBY = 4 DONUT_FORMAT_PYTHON = 5 DONUT_FORMAT_POWERSHELL = 6 DONUT_FORMAT_CSHARP = 7 DONUT_FORMAT_HEX = 8 DONUT_FORMAT_UUID = 9 )
Output format type
const ( DONUT_COMPRESS_NONE = 1 DONUT_COMPRESS_APLIB = 2 DONUT_COMPRESS_LZNT1 = 3 // COMPRESSION_FORMAT_LZNT1 DONUT_COMPRESS_XPRESS = 4 // COMPRESSION_FORMAT_XPRESS )
Compression engine
const ( DONUT_ENTROPY_NONE = 1 // don't use any entropy DONUT_ENTROPY_RANDOM = 2 // use random names DONUT_ENTROPY_DEFAULT = 3 // use random names + symmetric encryption )
Entropy level
const ( DONUT_OPT_EXIT_THREAD = 1 // return to caller which calls RtlExitUserThread DONUT_OPT_EXIT_PROCESS = 2 // call RtlExitUserProcess to terminate host process DONUT_OPT_EXIT_BLOCK = 3 // do not exit or cleanup, block indefinitely )
Exit options
const ( DONUT_INSTANCE_EMBED = 1 // Module is embedded DONUT_INSTANCE_HTTP = 2 // Module is downloaded from remote HTTP/HTTPS server DONUT_INSTANCE_DNS = 3 // Module is downloaded from remote DNS server )
Instance type
const ( DONUT_BYPASS_NONE = 1 // Disables bypassing AMSI/WDLP/ETW DONUT_BYPASS_ABORT = 2 // If bypassing fails, the loader stops running DONUT_BYPASS_CONTINUE = 3 // If bypassing fails, the loader continues running )
AMSI/WLDP/ETW bypass level
const ( DONUT_HEADERS_OVERWRITE = 1 // Overwrite PE headers DONUT_HEADERS_KEEP = 2 // Preserve PE headers )
Preserve PE headers options
const ( DONUT_MAX_NAME = 256 // maximum length of string for domain, class, method and parameter names DONUT_MAX_DLL = 8 // maximum number of DLL supported by instance DONUT_MAX_MODNAME = 8 DONUT_SIG_LEN = 8 // 64-bit string to verify decryption ok DONUT_VER_LEN = 32 DONUT_DOMAIN_LEN = 8 DONUT_IV_LEN = 8 DONUT_MAX_PATH = 260 )
Size limits
const ( DONUT_RUNTIME_NET2 = "v2.0.50727" DONUT_RUNTIME_NET4 = "v4.0.30319" )
.NET runtime versions
const ( NTDLL_DLL = "ntdll.dll" KERNEL32_DLL = "kernel32.dll" ADVAPI32_DLL = "advapi32.dll" CRYPT32_DLL = "crypt32.dll" MSCOREE_DLL = "mscoree.dll" OLE32_DLL = "ole32.dll" OLEAUT32_DLL = "oleaut32.dll" WININET_DLL = "wininet.dll" COMBASE_DLL = "combase.dll" USER32_DLL = "user32.dll" SHLWAPI_DLL = "shlwapi.dll" SHELL32_DLL = "shell32.dll" )
DLL names used by loader
const ( DONUT_ERROR_SUCCESS = 0 DONUT_ERROR_FILE_NOT_FOUND = 1 DONUT_ERROR_FILE_EMPTY = 2 DONUT_ERROR_FILE_ACCESS = 3 DONUT_ERROR_FILE_INVALID = 4 DONUT_ERROR_NET_PARAMS = 5 DONUT_ERROR_NO_MEMORY = 6 DONUT_ERROR_INVALID_ARCH = 7 DONUT_ERROR_INVALID_URL = 8 DONUT_ERROR_URL_LENGTH = 9 DONUT_ERROR_INVALID_PARAMETER = 10 DONUT_ERROR_RANDOM = 11 DONUT_ERROR_DLL_FUNCTION = 12 DONUT_ERROR_ARCH_MISMATCH = 13 DONUT_ERROR_DLL_PARAM = 14 DONUT_ERROR_BYPASS_INVALID = 15 DONUT_ERROR_NORELOC = 16 DONUT_ERROR_INVALID_ENCODING = 17 DONUT_ERROR_INVALID_ENGINE = 18 DONUT_ERROR_COMPRESSION = 19 DONUT_ERROR_INVALID_ENTROPY = 20 DONUT_ERROR_MIXED_ASSEMBLY = 21 DONUT_ERROR_HEADERS_INVALID = 22 DONUT_ERROR_DECOY_INVALID = 23 )
Error codes
const DONUT_MODULE_XSL = 7
DONUT_MODULE_XSL - XSL with JavaScript/JScript or VBscript embedded
Variables ¶
var CLSID_CLRMetaHost = GUID{ Data1: 0x9280188D, Data2: 0x0E8E, Data3: 0x4867, Data4: [8]byte{0xB3, 0x0C, 0x7F, 0xA8, 0x38, 0x84, 0xE8, 0xDE}, }
CLR MetaHost CLSID_CLRMetaHost {9280188D-0E8E-4867-B30C-7FA83884E8DE}
var CLSID_CorRuntimeHost = GUID{ Data1: 0xCB2F6723, Data2: 0xAB3A, Data3: 0x11D2, Data4: [8]byte{0x9C, 0x40, 0x00, 0xC0, 0x4F, 0xA3, 0x0A, 0x3E}, }
CorRuntimeHost CLSID_CorRuntimeHost {CB2F6723-AB3A-11D2-9C40-00C04FA30A3E}
var CLSID_JScript = GUID{ Data1: 0xF414C260, Data2: 0x6AC0, Data3: 0x11CF, Data4: [8]byte{0xB6, 0xD1, 0x00, 0xAA, 0x00, 0xBB, 0xBB, 0x58}, }
CLSID_JScript {F414C260-6AC0-11CF-B6D1-00AA00BBBB58}
var CLSID_VBScript = GUID{ Data1: 0xB54F3741, Data2: 0x5B07, Data3: 0x11CF, Data4: [8]byte{0xA4, 0xB0, 0x00, 0xAA, 0x00, 0x4A, 0x55, 0xE8}, }
VBScript/JScript GUIDs CLSID_VBScript {B54F3741-5B07-11CF-A4B0-00AA004A55E8}
var DefaultIV uint64 = 0x4B455253414E4F44 // "DONASREK" in little-endian
DefaultIV is the default initial value for Maru hash
var IID_AppDomain = GUID{ Data1: 0x05F696DC, Data2: 0x2B29, Data3: 0x3663, Data4: [8]byte{0xAD, 0x8B, 0xC4, 0x38, 0x9C, 0xF2, 0xA7, 0x13}, }
IID_AppDomain {05F696DC-2B29-3663-AD8B-C4389CF2A713}
var IID_IActiveScript = GUID{ Data1: 0xBB1A2AE1, Data2: 0xA4F9, Data3: 0x11CF, Data4: [8]byte{0x8F, 0x20, 0x00, 0x80, 0x5F, 0x2C, 0xD0, 0x64}, }
IID_IActiveScript {BB1A2AE1-A4F9-11CF-8F20-00805F2CD064}
var IID_IActiveScriptParse32 = GUID{ Data1: 0xBB1A2AE2, Data2: 0xA4F9, Data3: 0x11CF, Data4: [8]byte{0x8F, 0x20, 0x00, 0x80, 0x5F, 0x2C, 0xD0, 0x64}, }
IID_IActiveScriptParse32 {BB1A2AE2-A4F9-11CF-8F20-00805F2CD064}
var IID_IActiveScriptParse64 = GUID{ Data1: 0xC7EF7658, Data2: 0xE1EE, Data3: 0x480E, Data4: [8]byte{0x97, 0xEA, 0xD5, 0x2C, 0xB4, 0xD7, 0x6D, 0x17}, }
IID_IActiveScriptParse64 {C7EF7658-E1EE-480E-97EA-D52CB4D76D17}
var IID_IActiveScriptSite = GUID{ Data1: 0xDB01A1E3, Data2: 0xA42B, Data3: 0x11CF, Data4: [8]byte{0x8F, 0x20, 0x00, 0x80, 0x5F, 0x2C, 0xD0, 0x64}, }
IID_IActiveScriptSite {DB01A1E3-A42B-11CF-8F20-00805F2CD064}
var IID_IActiveScriptSiteWindow = GUID{ Data1: 0xD10F6761, Data2: 0x83E9, Data3: 0x11CF, Data4: [8]byte{0x8F, 0x20, 0x00, 0x80, 0x5F, 0x2C, 0xD0, 0x64}, }
IID_IActiveScriptSiteWindow {D10F6761-83E9-11CF-8F20-00805F2CD064}
var IID_ICLRMetaHost = GUID{ Data1: 0xD332DB9E, Data2: 0xB9B3, Data3: 0x4125, Data4: [8]byte{0x82, 0x07, 0xA1, 0x48, 0x84, 0xF5, 0x32, 0x16}, }
IID_ICLRMetaHost {D332DB9E-B9B3-4125-8207-A14884F53216}
var IID_ICLRRuntimeInfo = GUID{ Data1: 0xBD39D1D2, Data2: 0xBA2F, Data3: 0x486A, Data4: [8]byte{0x89, 0xB0, 0xB4, 0xB0, 0xCB, 0x46, 0x68, 0x91}, }
IID_ICLRRuntimeInfo {BD39D1D2-BA2F-486A-89B0-B4B0CB466891}
var IID_ICorRuntimeHost = GUID{ Data1: 0xCB2F6722, Data2: 0xAB3A, Data3: 0x11D2, Data4: [8]byte{0x9C, 0x40, 0x00, 0xC0, 0x4F, 0xA3, 0x0A, 0x3E}, }
IID_ICorRuntimeHost {CB2F6722-AB3A-11D2-9C40-00C04FA30A3E}
var IID_IDispatch = GUID{ Data1: 0x00020400, Data2: 0x0000, Data3: 0x0000, Data4: [8]byte{0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46}, }
IID_IDispatch {00020400-0000-0000-C000-000000000046}
var IID_IHost = GUID{ Data1: 0x91AFBD1B, Data2: 0x5FEB, Data3: 0x43F5, Data4: [8]byte{0xB0, 0x28, 0xE2, 0xCA, 0x96, 0x06, 0x17, 0xEC}, }
IID_IHost (IHost interface) {91afbd1b-5feb-43f5-b028-e2ca960617ec}
var IID_IUnknown = GUID{ Data1: 0x00000000, Data2: 0x0000, Data3: 0x0000, Data4: [8]byte{0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46}, }
IID_IUnknown {00000000-0000-0000-C000-000000000046}
var LOADER_EXE_X64 = []byte{}/* 13430 elements not displayed */
LOADER_EXE_X64 - stub for EXE PE files
var LOADER_EXE_X86 = []byte{}/* 11647 elements not displayed */
LOADER_EXE_X86 - stub for EXE PE files
Functions ¶
func AESEncryptCBC ¶
AESEncryptCBC encrypts data using AES-CBC
func APIHash ¶
APIHash computes the API hash for the given DLL and function name IMPORTANT: This is hash(api) XOR hash(dll), not hash(dll+api)
func BytesToUint32s ¶
BytesToUint32s converts byte slice to uint32 slice (Binject-compatible)
func CompressAPLib ¶
CompressAPLib compresses data using aPLib algorithm
func CompressData ¶
CompressData compresses data using the specified engine
func ConvertArch ¶
ConvertArch converts DonutArch to internal arch constants
func Create ¶
func Create(config *DonutConfig) ([]byte, error)
Create generates shellcode from the given configuration This is the main entry point for the library
func CreateFromBytes ¶
CreateFromBytes generates shellcode from raw bytes
func CreateFromFile ¶
CreateFromFile generates shellcode from a file path
func CreateFromReader ¶
CreateFromReader generates shellcode from an io.Reader
func DecompressAPLib ¶
DecompressAPLib decompresses aPLib compressed data
func DecompressData ¶
DecompressData decompresses data
func DetectFileType ¶
DetectFileType detects the type of input file
func DonutCreate ¶
func DonutCreate(config *DonutConfig) error
DonutCreate generates shellcode from the given configuration
func DonutError ¶
DonutError returns a human-readable error message
func DownloadFile ¶
DownloadFile downloads a file from URL to a bytes.Buffer Binject-compatible utility function
func EncryptCTR ¶
EncryptCTR encrypts data using Chaskey in CTR mode
func FormatOutput ¶
FormatOutput converts shellcode to the specified output format
func GenerateRandomBytes ¶
GenerateRandomBytes generates n random bytes (Binject-compatible name)
func GetFormatExtension ¶
GetFormatExtension returns the appropriate file extension for the format
func GetLoaderForArch ¶
GetLoaderForArch returns the appropriate loader for the given architecture and module type For x84 (dual-mode), returns nil since Sandwich handles both loaders internally
func HasExportedFunction ¶
HasExportedFunction checks if a DLL exports a specific function
func Maru ¶
Maru computes the Maru hash of input with given IV This matches the official donut v1.1 implementation
func RandomString ¶
RandomString generates a random string of given length (Binject-compatible name)
func ReadPEFromReader ¶
ReadPEFromReader reads PE data from an io.Reader
func Sandwich ¶
Sandwich creates the final shellcode by wrapping instance data with call/pop instructions that pass the instance pointer to the loader. Structure: E8 [len] [instance] 59 [preamble] [loader]
func SaveToFile ¶
SaveToFile saves shellcode to a file with the specified format
func SetInstanceGUIDs ¶
func SetInstanceGUIDs(inst *DonutInstance)
SetInstanceGUIDs populates all GUIDs in a DonutInstance
func SetScriptGUID ¶
func SetScriptGUID(inst *DonutInstance, moduleType int)
SetScriptGUID sets the CLSID for VBS or JS
func ShellcodeFromBytes ¶
ShellcodeFromBytes generates shellcode from PE bytes Returns *bytes.Buffer for Binject/go-donut API compatibility
func ShellcodeFromFile ¶
func ShellcodeFromFile(inputFile string, config *DonutConfig) (*bytes.Buffer, error)
ShellcodeFromFile generates shellcode from a PE file Returns *bytes.Buffer for Binject/go-donut API compatibility
func ShellcodeFromURL ¶
func ShellcodeFromURL(fileURL string, config *DonutConfig) (*bytes.Buffer, error)
ShellcodeFromURL downloads a PE from URL and generates shellcode Binject-compatible API
Types ¶
type DonutArch ¶
type DonutArch int
DonutArch - CPU architecture type (used by DonutConfig.Arch for Sliver compatibility) Values match Binject/go-donut: X32=0, X64=1, X84=2
func DonutArchFromInt ¶
DonutArchFromInt converts an internal DONUT_ARCH_* constant to DonutArch
func (DonutArch) ToInternal ¶
ToInternal converts DonutArch to internal DONUT_ARCH_* representation
type DonutConfig ¶
type DonutConfig struct {
Len uint32 // original length of input file
Zlen uint32 // compressed length
// General/misc options for loader
Arch DonutArch // target architecture (Sliver-compatible)
Bypass int // bypass option for AMSI/WDLP
Headers int // preserve PE headers option
Compress uint32 // engine to use when compressing file via RtlCompressBuffer (Sliver-compatible)
Entropy int // entropy/encryption level
Format uint32 // output format for loader (Sliver-compatible)
ExitOpt int // return to caller, invoke RtlExitUserProcess, or block
Thread uint32 // run entrypoint of unmanaged EXE as a thread (Sliver-compatible)
OEP uint32 // original entrypoint of target host file
// Files in/out
Input string // name of input file to read and load in-memory
Output string // name of output file to save loader
// .NET stuff
Runtime string // runtime version to use for CLR
Domain string // name of domain to create for .NET DLL/EXE
Class string // name of class with optional namespace for .NET DLL
Method string // name of method or DLL function to invoke
// Command line for DLL/EXE
Parameters string // command line to use for unmanaged DLL/EXE and .NET DLL/EXE (Sliver-compatible, was Args)
Unicode uint32 // param is passed to DLL function without converting to unicode (Sliver-compatible)
// Module overloading stuff
Decoy string // path of decoy module
// HTTP/DNS staging information
Server string // staging server hosting donut module
Auth string // username and password for web server (user:pass)
ModName string // name of module written to disk for http stager
// DONUT_MODULE
Type ModuleType // VBS/JS/DLL/EXE (Sliver-compatible, was ModType)
ModLen int // size of DONUT_MODULE
Mod *DonutModule // points to DONUT_MODULE
// DONUT_INSTANCE
InstType InstanceType // DONUT_INSTANCE_EMBED or DONUT_INSTANCE_HTTP (Sliver-compatible)
InstLen int // size of DONUT_INSTANCE
Inst *DonutInstance // points to DONUT_INSTANCE
// Shellcode generated from configuration
PicLen int // size of loader/shellcode
Pic []byte // points to loader/shellcode
}
DonutConfig holds all configuration for shellcode generation
func DefaultConfig ¶
func DefaultConfig() *DonutConfig
DefaultConfig returns a DonutConfig with sensible defaults
type DonutCrypt ¶
type DonutCrypt struct {
MasterKey [DONUT_KEY_LEN]byte // master key
Counter [DONUT_BLK_LEN]byte // counter + nonce
}
DonutCrypt holds encryption key and counter
type DonutInstance ¶
type DonutInstance struct {
Len uint32 // total size of instance
Key DonutCrypt // decrypts instance if encryption enabled
IV uint64 // the 64-bit initial value for maru hash
Hash [64]uint64 // holds up to 64 api hashes (or addresses at runtime)
ExitOpt int32 // 1=thread, 2=process, 3=block
Entropy int32 // indicates entropy level
OEP uint32 // original entrypoint
// everything from here is encrypted
ApiCnt int32 // the 64-bit hashes of API required
DllNames [DONUT_MAX_NAME]byte // list of DLL strings to load, separated by semi-colon
Dataname [8]byte // ".data"
Kernelbase [12]byte // "kernelbase"
Amsi [8]byte // "amsi"
Clr [4]byte // "clr"
Wldp [8]byte // "wldp"
Ntdll [8]byte // "ntdll"
CmdSyms [DONUT_MAX_NAME]byte // symbols related to command line
ExitApi [DONUT_MAX_NAME]byte // exit-related API
Bypass int32 // indicates behaviour of bypassing AMSI/WLDP/ETW
Headers int32 // indicates whether to overwrite PE headers
WldpQuery [32]byte // WldpQueryDynamicCodeTrust
WldpIsApproved [32]byte // WldpIsClassInApprovedList
AmsiInit [16]byte // AmsiInitialize
AmsiScanBuf [16]byte // AmsiScanBuffer
AmsiScanStr [16]byte // AmsiScanString
EtwEventWrite [16]byte // EtwEventWrite
EtwEventUnreg [20]byte // EtwEventUnregister
EtwRet64 [1]byte // "ret" instruction for Etw
EtwRet32 [4]byte // "ret 14h" instruction for Etw
Wscript [8]byte // WScript
WscriptExe [12]byte // wscript.exe
Decoy [DONUT_MAX_PATH * 2]byte // path of decoy module
// GUIDs
XIID_IUnknown GUID
XIID_IDispatch GUID
// GUID required to load .NET assemblies
XCLSID_CLRMetaHost GUID
XIID_ICLRMetaHost GUID
XIID_ICLRRuntimeInfo GUID
XCLSID_CorRuntimeHost GUID
XIID_ICorRuntimeHost GUID
XIID_AppDomain GUID
// GUID required to run VBS and JS files
XCLSID_ScriptLanguage GUID
XIID_IHost GUID
XIID_IActiveScript GUID
XIID_IActiveScriptSite GUID
XIID_IActiveScriptSiteWindow GUID
XIID_IActiveScriptParse32 GUID
XIID_IActiveScriptParse64 GUID
Type int32 // DONUT_INSTANCE_EMBED, DONUT_INSTANCE_HTTP
Server [DONUT_MAX_NAME]byte // staging server hosting donut module
Username [DONUT_MAX_NAME]byte // username for web server
Password [DONUT_MAX_NAME]byte // password for web server
HttpReq [8]byte // just a buffer for "GET"
Sig [DONUT_MAX_NAME]byte // string to hash
Mac uint64 // to verify decryption ok
ModKey DonutCrypt // used to decrypt module
ModLen uint64 // total size of module
Module *DonutModule // points to module (embedded or downloaded)
}
DonutInstance - everything required for an instance
type DonutModule ¶
type DonutModule struct {
Type int32 // EXE/DLL/JS/VBS
Thread int32 // run entrypoint of unmanaged EXE as a thread
Compress int32 // indicates engine used for compression
Runtime [DONUT_MAX_NAME]byte // runtime version for .NET EXE/DLL
Domain [DONUT_MAX_NAME]byte // domain name to use for .NET EXE/DLL
Cls [DONUT_MAX_NAME]byte // name of class and optional namespace for .NET EXE/DLL
Method [DONUT_MAX_NAME]byte // name of method to invoke for .NET DLL or api for unmanaged DLL
Args [DONUT_MAX_NAME]byte // string arguments for both managed and unmanaged DLL/EXE
Unicode int32 // convert param to unicode for unmanaged DLL function
Sig [DONUT_SIG_LEN]byte // string to verify decryption
Mac uint64 // hash of sig, to verify decryption was ok
Zlen uint32 // compressed size of EXE/DLL/JS/VBS file
Len uint32 // real size of EXE/DLL/JS/VBS file
Data []byte // data of EXE/DLL/JS/VBS file
}
DonutModule - everything required for a module
type FileInfo ¶
type FileInfo struct {
Len uint32
Zlen uint32
Data []byte
Zdata []byte
Type int
Arch int
Ver string
}
FileInfo holds information about input file
type ImageCor20Header ¶
type ImageCor20Header struct {
Cb uint32
MajorRuntimeVersion uint16
MinorRuntimeVersion uint16
MetaDataRVA uint32
MetaDataSize uint32
Flags uint32
EntryPointToken uint32
ResourcesRVA uint32
ResourcesSize uint32
StrongNameSigRVA uint32
StrongNameSigSize uint32
CodeManagerTableRVA uint32
CodeManagerTableSz uint32
VTableFixupsRVA uint32
VTableFixupsSize uint32
ExportAddrTableRVA uint32
ExportAddrTableSize uint32
ManagedNativeHdrRVA uint32
ManagedNativeHdrSz uint32
}
CLR header structure
type InstanceType ¶
type InstanceType int
InstanceType - Instance type (used by DonutConfig.InstType for Sliver compatibility)
const ( // DONUT_INSTANCE_PIC - Self-contained/embedded (Sliver-compatible name) DONUT_INSTANCE_PIC InstanceType = DONUT_INSTANCE_EMBED // DONUT_INSTANCE_URL - Download from remote server (Sliver-compatible name) DONUT_INSTANCE_URL InstanceType = DONUT_INSTANCE_HTTP )
type MDStorageSignature ¶
type MDStorageSignature struct {
Signature uint32
MajorVersion uint16
MinorVersion uint16
ExtraData uint32
VersionLength uint32
}
.NET metadata storage signature
type ModuleType ¶
type ModuleType int
ModuleType - Module type (used by DonutConfig.Type for Sliver compatibility)
const ( DONUT_MODULE_TYPE_NET_DLL ModuleType = DONUT_MODULE_NET_DLL DONUT_MODULE_TYPE_NET_EXE ModuleType = DONUT_MODULE_NET_EXE DONUT_MODULE_TYPE_DLL ModuleType = DONUT_MODULE_DLL DONUT_MODULE_TYPE_EXE ModuleType = DONUT_MODULE_EXE DONUT_MODULE_TYPE_VBS ModuleType = DONUT_MODULE_VBS DONUT_MODULE_TYPE_JS ModuleType = DONUT_MODULE_JS )
Module type constants matching Sliver's expected values
type Option ¶
type Option func(*DonutConfig)
Option is a functional option for configuring shellcode generation
func WithBypass ¶
WithBypass sets the AMSI/WLDP/ETW bypass option
func WithCompression ¶
WithCompression sets the compression engine
func WithHeaders ¶
WithHeaders sets whether to preserve PE headers
func WithParameters ¶
WithParameters sets the arguments/parameters (Sliver-compatible name)
func WithRuntime ¶
WithRuntime sets the .NET CLR runtime version
func WithUnicode ¶
WithUnicode enables unicode parameter passing
Source Files