Skip to main content

Summary

The donut command convert a VBS/JS or PE/.NET EXE/DLL to shellcode. Only the finest artisanal donuts are made of shells. Uses the go-donut project.
  • Needs Admin: False
  • Version: 1
  • Author: @Ne0nd0g
See the Detailed Summary section for additional information

Arguments

module

  • Description: Module name. Randomly generated by default with entropy enabled
  • Required Value: False
  • Default Value: None

url

  • Description: HTTP server that will host the donut module
  • Required Value: False
  • Default Value: None

entropy

  • Description: 1=disable, 2=use random names, 3=random names + symmetric encryption (default)
  • Required Value: True
  • Default Value: 3

arch

  • Description: Target Architecture: x32, x64, or x84
  • Required Value: False
  • Default Value: x84

bypass

  • Description: Bypass AMSI/WLDP : 1=skip, 2=abort on fail, 3=continue on fail
  • Required Value: False
  • Default Value: 3

entrypoint

  • Description: Create a new thread for loader. Optionally execute original entrypoint of host process
  • Required Value: False
  • Default Value: False

exit

  • Description: Exiting. 1=exit thread, 2=exit process
  • Required Value: False
  • Default Value: 1

class

  • Description: Optional class name. (required for .NET DLL)
  • Required Value: False
  • Default Value: None

domain

  • Description: AppDomain name to create for .NET. Randomly generated by default with entropy enabled
  • Required Value: False
  • Default Value: None

method

  • Description: Optional method or API name for DLL. (a method is required for .NET DLL)
  • Required Value: False
  • Default Value: None

input

  • Description: .NET assembly, EXE, DLL, VBS, JS or XSL file to execute in-memory
  • Required Value: True
  • Default Value: None

params

  • Description: Optional parameters/command line inside quotations for DLL method/function or EXE.
  • Required Value: False
  • Default Value: None

unicode

  • Description: Command line is passed to unmanaged DLL function in UNICODE format. (default is ANSI)
  • Required Value: False
  • Default Value: False

runtime

  • Description: CLR runtime version. This will override the auto-detected version
  • Required Value: False
  • Default Value: None

thread

  • Description: Create new thread for entrypoint of unmanaged EXE
  • Required Value: False
  • Default Value: False

compress

  • Description: Pack/Compress file. 1=disable, 2=LZNT1, 3=Xpress, 4=Xpress Huffman
  • Required Value: False
  • Default Value: None

spawnto

  • Description: The child process to inject and execute the donut generated shellcode
  • Required Value: True
  • Default Value: C:\Windows\System32\WerFault.exe

spawntoargs

  • Description: Arguments to create the spawnto process with, if any
  • Required Value: False
  • Default Value: None

verbose

  • Description: Show verbose output from Donut
  • Note: The verbose output is from the Donut program running on the server while generating the shellcode
  • Required Value: False
  • Default Value: False

Usage

To use this command, type donut and press enter for the dialog window to appear. There are too many arguments to facilitate using the task window only to type out the command.

MITRE ATT&CK Mapping

T1055.012 Process Injection: Process Hollowing

Detailed Summary

The donut command leverages Donut by @TheWover transforms an arbitrary .NET assembly, PE, or a few other executable formats into position-independent shellcode. The go-donut library specifically is used with Merlin to generate the shellcode. Once the shellcode is generated, it is executed in the spawnto process using the process hollowing technique described in the createprocess command documentation.