jaccostraathof

Donut

Donut

1st : sudo apt install g++-mingw-w64-x86-64 gcc-mingw-w64-x86-64

2nd : wget https://github.com/TheWover/donut/releases/download/v0.9.3/donut_v0.9.3.tar.gz

3th : tar -xvzf donut_v0.9.3.tar.gz

result :

bolke@js-donut:~/donut2/donut_v0.9.3$ ls -la
total 108
drwxr-xr-x 4 bolke bolke  4096 Dec 21  2019 .
drwxrwxr-x 3 bolke bolke  4096 May 13 11:28 ..
-rwxr-xr-x 1 bolke bolke 64912 Dec 21  2019 donut
-rw-r--r-- 1 bolke bolke  5309 Dec 21  2019 donut.1
drwxr-xr-x 2 bolke bolke  4096 Dec 21  2019 examples
drwxr-xr-x 2 bolke bolke  4096 Dec 21  2019 lib
-rw-r--r-- 1 bolke bolke  1517 Dec 21  2019 LICENSE
-rw-r--r-- 1 bolke bolke 12874 Dec 21  2019 README.html
bolke@js-donut:~/donut2/donut_v0.9.3$ ./donut

  [ Donut shellcode generator v0.9.3
  [ Copyright (c) 2019 TheWover, Odzhan

 usage: donut [options] <EXE/DLL/VBS/JS>

       Only the finest artisanal donuts are made of shells.

                   -MODULE OPTIONS-

       -n <name>            Module name for HTTP staging. If entropy is enabled, this is generated randomly.
       -s <server>          HTTP server that will host the donut module.
       -e <level>           Entropy. 1=None, 2=Use random names, 3=Random names + symmetric encryption (default)

                   -PIC/SHELLCODE OPTIONS-

       -a <arch>            Target architecture : 1=x86, 2=amd64, 3=x86+amd64(default).
       -b <level>           Bypass AMSI/WLDP : 1=None, 2=Abort on fail, 3=Continue on fail.(default)
       -o <path>            Output file to save loader. Default is "loader.bin"
       -f <format>          Output format. 1=Binary (default), 2=Base64, 3=C, 4=Ruby, 5=Python, 6=Powershell, 7=C#, 8=Hex
       -y <addr>            Create thread for loader and continue execution at <addr> supplied.
       -x <action>          Exiting. 1=Exit thread (default), 2=Exit process

                   -FILE OPTIONS-

       -c <namespace.class> Optional class name. (required for .NET DLL)
       -d <name>            AppDomain name to create for .NET assembly. If entropy is enabled, this is generated randomly.
       -m <method | api>    Optional method or function for DLL. (a method is required for .NET DLL)
       -p <arguments>       Optional parameters/command line inside quotations for DLL method/function or EXE.
       -w                   Command line is passed to unmanaged DLL function in UNICODE format. (default is ANSI)
       -r <version>         CLR runtime version. MetaHeader used by default or v4.0.30319 if none available.
       -t                   Execute the entrypoint of an unmanaged EXE as a thread.
       -z <engine>          Pack/Compress file. 1=None, 2=aPLib

 examples:

    donut c2.dll
    donut -a1 -cTestClass -mRunProcess -pnotepad.exe loader.dll
    donut loader.dll -c TestClass -m RunProcess -p"calc notepad" -s http://remote_server.com/modules/
bolke@js-donut:~/donut2/donut_v0.9.3$

 

 

 

 

or with docker

install on Ubuntu 24.04.02 LTS : sudo docker build -t donut .

bolke@js-srv01:~/donut$ sudo docker build -t donut .
DEPRECATED: The legacy builder is deprecated and will be removed in a future release.
            Install the buildx component to build images with BuildKit:
            https://docs.docker.com/go/buildx/

Sending build context to Docker daemon  14.69MB
Step 1/11 : FROM ubuntu:22.04
22.04: Pulling from library/ubuntu
215ed5a63843: Pull complete
Digest: sha256:67cadaff1dca187079fce41360d5a7eb6f7dcd3745e53c79ad5efd8563118240
Status: Downloaded newer image for ubuntu:22.04
 ---> c42dedf797ba
Step 2/11 : RUN apt-get update
 ---> Running in 2f62edb78629
Get:1 http://archive.ubuntu.com/ubuntu jammy InRelease [270 kB]
Get:2 http://security.ubuntu.com/ubuntu jammy-security InRelease [129 kB]
Get:3 http://archive.ubuntu.com/ubuntu jammy-updates InRelease [128 kB]
--snip--
loader_exe_x86.go
loader_exe_x86.h
pyproject.toml
setup.py
version-release-notes.txt
 ---> Removed intermediate container 4cad547e0fa4
 ---> fff5ee8ca773
Step 11/11 : ENTRYPOINT ["/opt/donut/donut"]
 ---> Running in 354facff12fe
 ---> Removed intermediate container 354facff12fe
 ---> 124c8ac52483
Successfully built 124c8ac52483
Successfully tagged donut:latest
bolke@js-srv01:~/donut$

.

then : sudo docker run -it –rm -v “${PWD}:/workdir” donut -h

bolke@js-srv01:~$ sudo docker run -it --rm -v "${PWD}:/workdir" donut -h

  [ Donut shellcode generator v1 (built May 12 2025 13:50:10)
  [ Copyright (c) 2019-2021 TheWover, Odzhan

 usage: donut [options] <EXE/DLL/VBS/JS>

       Only the finest artisanal donuts are made of shells.

                   -MODULE OPTIONS-

       -n,--modname: <name>                    Module name for HTTP staging. If entropy is enabled, this is generated randomly.
       -s,--server: <server>                   Server that will host the Donut module. Credentials may be provided in the following format: https://username:password@192.168.0.1/
       -e,--entropy: <level>                   Entropy. 1=None, 2=Use random names, 3=Random names + symmetric encryption (default)

                   -PIC/SHELLCODE OPTIONS-

       -a,--arch: <arch>,--cpu: <arch>         Target architecture : 1=x86, 2=amd64, 3=x86+amd64(default).
       -o,--output: <path>                     Output file to save loader. Default is "loader.bin"
       -f,--format: <format>                   Output format. 1=Binary (default), 2=Base64, 3=C, 4=Ruby, 5=Python, 6=Powershell, 7=C#, 8=Hex
       -y,--fork: <offset>                     Create a new thread for the loader and continue execution at <offset> relative to the host process's executable.
       -x,--exit: <action>                     Exit behaviour. 1=Exit thread (default), 2=Exit process, 3=Do not exit or cleanup and block indefinitely

                   -FILE OPTIONS-

       -c,--class: <namespace.class>           Optional class name. (required for .NET DLL)
       -d,--domain: <name>                     AppDomain name to create for .NET assembly. If entropy is enabled, this is generated randomly.
       -i,--input: <path>,--file: <path>       Input file to execute in-memory.
       -m,--method: <method>,--function: <api> Optional method or function for DLL. (a method is required for .NET DLL)
       -p,--args: <arguments>                  Optional parameters/command line inside quotations for DLL method/function or EXE.
       -w,--unicode                            Command line is passed to unmanaged DLL function in UNICODE format. (default is ANSI)
       -r,--runtime: <version>                 CLR runtime version. MetaHeader used by default or v4.0.30319 if none available.
       -t,--thread                             Execute the entrypoint of an unmanaged EXE as a thread.

                   -EXTRA-

       -z,--compress: <engine>                 Pack/Compress file. 1=None, 2=aPLib
       -b,--bypass: <level>                    Bypass AMSI/WLDP/ETW : 1=None, 2=Abort on fail, 3=Continue on fail.(default)

       -k,--headers: <level>                   Preserve PE headers. 1=Overwrite (default), 2=Keep all

       -j,--decoy: <level>                     Optional path of decoy module for Module Overloading.

 examples:

    donut -ic2.dll
    donut --arch:x86 --class:TestClass --method:RunProcess --args:notepad.exe --input:loader.dll
    donut -iloader.dll -c TestClass -m RunProcess -p"calc notepad" -s http://remote_server.com/modules/
bolke@js-srv01:~$ pwd
/home/bolke
bolke@js-srv01:~$

 

 

 

 

references:

https://github.com/TheWover/donut