Open lap1nou opened 1 year ago
Here is the output of the debug mode in case it can be useful:
PS C:\Users\User\donut> .\donut.exe -i .\test.exe
[ Donut shellcode generator v1 (built Mar 11 2023 12:16:37)
[ Copyright (c) 2019-2021 TheWover, Odzhan
DEBUG: donut.c:1817:get_opt(): Arg type for h;?, help : None
DEBUG: donut.c:1817:get_opt(): Arg type for a, arch : Decimal
DEBUG: donut.c:1817:get_opt(): Arg type for b, bypass : Decimal
DEBUG: donut.c:1817:get_opt(): Arg type for k, headers : Decimal
DEBUG: donut.c:1817:get_opt(): Arg type for c, class : String
DEBUG: donut.c:1817:get_opt(): Arg type for d, domain : String
DEBUG: donut.c:1817:get_opt(): Arg type for e, entropy : Decimal
DEBUG: donut.c:1817:get_opt(): Arg type for f, format : Decimal
DEBUG: donut.c:1817:get_opt(): Arg type for i, input;file : String
DEBUG: donut.c:1894:get_opt(): Found match
DEBUG: donut.c:1912:get_opt(): Parsing .\test.exe
DEBUG: donut.c:1925:get_opt(): Copying .\test.exe to output
DEBUG: donut.c:1817:get_opt(): Arg type for m, method;function : String
DEBUG: donut.c:1817:get_opt(): Arg type for n, modname : String
DEBUG: donut.c:1817:get_opt(): Arg type for j, decoy : String
DEBUG: donut.c:1817:get_opt(): Arg type for o, output : String
DEBUG: donut.c:1817:get_opt(): Arg type for p, params;args : String
DEBUG: donut.c:1817:get_opt(): Arg type for r, runtime : String
DEBUG: donut.c:1817:get_opt(): Arg type for s, server : String
DEBUG: donut.c:1817:get_opt(): Arg type for t, thread : Flag
DEBUG: donut.c:1817:get_opt(): Arg type for w, unicode : Flag
DEBUG: donut.c:1817:get_opt(): Arg type for x, exit : Decimal
DEBUG: donut.c:1817:get_opt(): Arg type for y, oep;fork : Hexadecimal
DEBUG: donut.c:1817:get_opt(): Arg type for z, compress : Decimal
DEBUG: donut.c:1575:DonutCreate(): Entering.
DEBUG: donut.c:1347:validate_loader_cfg(): Validating loader configuration.
DEBUG: donut.c:1450:validate_loader_cfg(): Loader configuration passed validation.
DEBUG: donut.c:474:read_file_info(): Entering.
DEBUG: donut.c:482:read_file_info(): Checking extension of .\test.exe
DEBUG: donut.c:490:read_file_info(): Extension is ".exe"
DEBUG: donut.c:506:read_file_info(): File is EXE
DEBUG: donut.c:518:read_file_info(): Mapping .\test.exe into memory
DEBUG: donut.c:262:map_file(): Entering.
DEBUG: donut.c:546:read_file_info(): Checking characteristics
DEBUG: donut.c:597:read_file_info(): Leaving with error : 0
DEBUG: donut.c:1516:validate_file_cfg(): Validating configuration for input file.
DEBUG: donut.c:1558:validate_file_cfg(): Validation passed.
DEBUG: donut.c:689:build_module(): Entering.
DEBUG: donut.c:703:build_module(): Assigning 2403328 bytes of 000002690B770000 to data
DEBUG: donut.c:710:build_module(): Allocating 2404656 bytes of memory for DONUT_MODULE
DEBUG: donut.c:794:build_module(): Copying data to module
DEBUG: donut.c:806:build_module(): Leaving with error : 0
DEBUG: donut.c:826:build_instance(): Entering.
DEBUG: donut.c:829:build_instance(): Allocating memory for instance
DEBUG: donut.c:836:build_instance(): The size of module is 2404656 bytes. Adding to size of instance.
DEBUG: donut.c:839:build_instance(): Total length of instance : 2409408
DEBUG: donut.c:870:build_instance(): Generating random key for instance
DEBUG: donut.c:879:build_instance(): Generating random key for module
DEBUG: donut.c:888:build_instance(): Generating random string to verify decryption
DEBUG: donut.c:895:build_instance(): Generating random IV for Maru hash
DEBUG: donut.c:903:build_instance(): Generating hashes for API using IV: A2C29EA8B9E10E17
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll : LoadLibraryA = 899811C3629617B1
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll : GetProcAddress = B8FEC1A5DF6AF617
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll : GetModuleHandleA = 9B8273CBF1F8CB2F
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll : VirtualAlloc = 42711CB811A2E776
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll : VirtualFree = A48AAA89565858F7
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll : VirtualQuery = EF553D8E03C74C82
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll : VirtualProtect = 602366033C00A0B3
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll : Sleep = 6AD22F6136FB14FD
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll : MultiByteToWideChar = CBE439E0F37AAEBD
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll : GetUserDefaultLCID = E77DFEC24629CF95
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll : WaitForSingleObject = C48554C18E33252A
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll : CreateThread = BE2B2A265E9C2258
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll : CreateFileA = 215C65924D68DAC7
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll : GetFileSizeEx = B191D876400CD4BF
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll : GetThreadContext = 8EC05CC4DA2114E1
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll : GetCurrentThread = D93339F4E5CC1A37
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll : GetCurrentProcess = 9F62D868E859BFD9
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll : GetCommandLineA = 34EE41D5626FE262
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll : GetCommandLineW = D5ACF8EF8F896BE4
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll : HeapAlloc = 960605E0A4B417B4
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll : HeapReAlloc = C946DBCF003DE294
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll : GetProcessHeap = 31A61E6288513978
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll : HeapFree = 5C648D6AAB35D0CE
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll : GetLastError = 583A6684749BB923
DEBUG: donut.c:916:build_instance(): Hash for kernel32.dll : CloseHandle = 9C3EDDC3EE852954
DEBUG: donut.c:916:build_instance(): Hash for shell32.dll : CommandLineToArgvW = DDC4350C6E3413C9
DEBUG: donut.c:916:build_instance(): Hash for oleaut32.dll : SafeArrayCreate = 77D04F7F1E1717F0
DEBUG: donut.c:916:build_instance(): Hash for oleaut32.dll : SafeArrayCreateVector = FB2A4E7DA4C5FD23
DEBUG: donut.c:916:build_instance(): Hash for oleaut32.dll : SafeArrayPutElement = 1276F5A840DAE095
DEBUG: donut.c:916:build_instance(): Hash for oleaut32.dll : SafeArrayDestroy = 0FEDD0632D55374B
DEBUG: donut.c:916:build_instance(): Hash for oleaut32.dll : SafeArrayGetLBound = 7EC1B0F19AD7A299
DEBUG: donut.c:916:build_instance(): Hash for oleaut32.dll : SafeArrayGetUBound = C6C2A5020E5C1006
DEBUG: donut.c:916:build_instance(): Hash for oleaut32.dll : SysAllocString = DC1FE6AF3D3E056D
DEBUG: donut.c:916:build_instance(): Hash for oleaut32.dll : SysFreeString = 60B156584B2BC0F7
DEBUG: donut.c:916:build_instance(): Hash for oleaut32.dll : LoadTypeLib = B5A6760D74A5F0A5
DEBUG: donut.c:916:build_instance(): Hash for wininet.dll : InternetCrackUrlA = E4449831327088C2
DEBUG: donut.c:916:build_instance(): Hash for wininet.dll : InternetOpenA = 1679D62DD44DE558
DEBUG: donut.c:916:build_instance(): Hash for wininet.dll : InternetConnectA = 28F5894093B194AC
DEBUG: donut.c:916:build_instance(): Hash for wininet.dll : InternetSetOptionA = 065C9B4555AE1245
DEBUG: donut.c:916:build_instance(): Hash for wininet.dll : InternetReadFile = 6C0CA47E3A1642AD
DEBUG: donut.c:916:build_instance(): Hash for wininet.dll : InternetQueryDataAvailable = FBEE4DC77784C8A4
DEBUG: donut.c:916:build_instance(): Hash for wininet.dll : InternetCloseHandle = E728F03A8EB8A0D8
DEBUG: donut.c:916:build_instance(): Hash for wininet.dll : HttpOpenRequestA = 34086C47298D6BCB
DEBUG: donut.c:916:build_instance(): Hash for wininet.dll : HttpSendRequestA = B9357CE84A13D552
DEBUG: donut.c:916:build_instance(): Hash for wininet.dll : HttpQueryInfoA = 977EFCAA7FDD0515
DEBUG: donut.c:916:build_instance(): Hash for mscoree.dll : CorBindToRuntime = 85243C6FE59AE306
DEBUG: donut.c:916:build_instance(): Hash for mscoree.dll : CLRCreateInstance = 5A63F1DD6D561D11
DEBUG: donut.c:916:build_instance(): Hash for ole32.dll : CoInitializeEx = 7C5F848AE143FAE3
DEBUG: donut.c:916:build_instance(): Hash for ole32.dll : CoCreateInstance = 242F8382755DBC7B
DEBUG: donut.c:916:build_instance(): Hash for ole32.dll : CoUninitialize = 71B8D50B695AB87E
DEBUG: donut.c:916:build_instance(): Hash for ntdll.dll : RtlEqualUnicodeString = F962773B547A060F
DEBUG: donut.c:916:build_instance(): Hash for ntdll.dll : RtlEqualString = 46D80DA45C8ABE03
DEBUG: donut.c:916:build_instance(): Hash for ntdll.dll : RtlUnicodeStringToAnsiString = DE0C014F7C1B7967
DEBUG: donut.c:916:build_instance(): Hash for ntdll.dll : RtlInitUnicodeString = 9B74A1977A276A8F
DEBUG: donut.c:916:build_instance(): Hash for ntdll.dll : RtlExitUserThread = C0DA5CDA3F0E4F1B
DEBUG: donut.c:916:build_instance(): Hash for ntdll.dll : RtlExitUserProcess = 409F303B4F9FEB48
DEBUG: donut.c:916:build_instance(): Hash for ntdll.dll : RtlCreateUnicodeString = 6DDB7EC7337A30A1
DEBUG: donut.c:916:build_instance(): Hash for ntdll.dll : RtlGetCompressionWorkSpaceSize = 1D37073E82850F4E
DEBUG: donut.c:916:build_instance(): Hash for ntdll.dll : RtlDecompressBuffer = AA377AAE3C5E2ABD
DEBUG: donut.c:916:build_instance(): Hash for ntdll.dll : NtContinue = 4159309699554454
DEBUG: donut.c:916:build_instance(): Hash for ntdll.dll : NtCreateSection = D44B82E52BC6F110
DEBUG: donut.c:916:build_instance(): Hash for ntdll.dll : NtMapViewOfSection = CE54C3360CC70AB9
DEBUG: donut.c:916:build_instance(): Hash for ntdll.dll : NtUnmapViewOfSection = 597C97A827799E9B
DEBUG: donut.c:919:build_instance(): Setting number of API to 63
DEBUG: donut.c:922:build_instance(): Setting DLL names to ole32;oleaut32;wininet;mscoree;shell32
DEBUG: donut.c:965:build_instance(): Copying strings required to bypass AMSI
DEBUG: donut.c:973:build_instance(): Copying strings required to bypass WLDP
DEBUG: donut.c:979:build_instance(): Copying strings required to bypass ETW
DEBUG: donut.c:1052:build_instance(): Copying module data to instance
DEBUG: donut.c:1058:build_instance(): Encrypting instance
DEBUG: donut.c:1076:build_instance(): Leaving with error : 0
DEBUG: donut.c:1251:build_loader(): Inserting opcodes
DEBUG: donut.c:1300:build_loader(): Copying 25077 bytes of x86 + amd64 shellcode
DEBUG: donut.c:1124:save_loader(): Saving instance 000002690BC25040 to file. 2409408 bytes.
DEBUG: donut.c:1095:save_file(): Entering.
DEBUG: donut.c:1099:save_file(): Writing 2409408 bytes of 000002690BC25040 to instance
DEBUG: donut.c:1104:save_file(): Leaving with error : 0
DEBUG: donut.c:1176:save_loader(): Saving loader as binary
DEBUG: donut.c:1213:save_loader(): Leaving with error : 0
DEBUG: donut.c:1610:DonutCreate(): Leaving with error : 0
[ Instance type : Embedded
[ Module file : ".\test.exe"
[ Entropy : Random names + Encryption
[ File type : EXE
[ Target CPU : x86+amd64
[ AMSI/WDLP/ETW : continue
[ PE Headers : overwrite
[ Shellcode : "loader.bin"
[ Exit : Thread
DEBUG: donut.c:1626:DonutDelete(): Entering.
DEBUG: donut.c:1632:DonutDelete(): Releasing memory for module.
DEBUG: donut.c:1638:DonutDelete(): Releasing memory for configuration.
DEBUG: donut.c:1644:DonutDelete(): Releasing memory for loader.
DEBUG: donut.c:311:unmap_file(): Unmapping input file.
DEBUG: donut.c:316:unmap_file(): Closing input file.
DEBUG: donut.c:1650:DonutDelete(): Leaving.
PS C:\Users\User\donut> .\loader .\instance
Running...
DEBUG: loader.c:46:DonutLoader(): sizeof(DONUT_INSTANCE) : 4752
DEBUG: loader.c:47:DonutLoader(): offsetof(DONUT_INSTANCE, api) : 48
DEBUG: loader.c:116:MainProc(): Maru IV : A2C29EA8B9E10E17
DEBUG: loader.c:119:MainProc(): Resolving address for VirtualAlloc() : 42711CB811A2E776
DEBUG: loader.c:123:MainProc(): Resolving address for VirtualFree() : A48AAA89565858F7
DEBUG: loader.c:127:MainProc(): Resolving address for RtlExitUserProcess() : 409F303B4F9FEB48
DEBUG: loader.c:140:MainProc(): VirtualAlloc : 00007FF843FD3F00 VirtualFree : 00007FF843FD4AE0
DEBUG: loader.c:142:MainProc(): Allocating 2409408 bytes of RW memory
DEBUG: loader.c:154:MainProc(): Copying 2409408 bytes of data to memory 000001C434D70000
DEBUG: loader.c:158:MainProc(): Zero initializing PDONUT_ASSEMBLY
DEBUG: loader.c:167:MainProc(): Decrypting 2409408 bytes of instance
DEBUG: loader.c:174:MainProc(): Generating hash to verify decryption
DEBUG: loader.c:176:MainProc(): Instance : 658304F9341DD20A | Result : 658304F9341DD20A
DEBUG: loader.c:183:MainProc(): Resolving LoadLibraryA
DEBUG: peb.c:187:xGetLibAddress(): Searching for DLL in PEB: ole32.dll
DEBUG: peb.c:213:xGetLibAddress(): Address of DLL: 00007FF842420000
DEBUG: peb.c:187:xGetLibAddress(): Searching for DLL in PEB: oleaut32.dll
DEBUG: peb.c:213:xGetLibAddress(): Address of DLL: 0000000000000000
DEBUG: peb.c:218:xGetLibAddress(): Dll not found. Loaded oleaut32.dll via LoadLibrary at 0x00007FF8444F0000
DEBUG: peb.c:187:xGetLibAddress(): Searching for DLL in PEB: wininet.dll
DEBUG: peb.c:213:xGetLibAddress(): Address of DLL: 0000000000000000
DEBUG: peb.c:218:xGetLibAddress(): Dll not found. Loaded wininet.dll via LoadLibrary at 0x00007FF82C2F0000
DEBUG: peb.c:187:xGetLibAddress(): Searching for DLL in PEB: mscoree.dll
DEBUG: peb.c:213:xGetLibAddress(): Address of DLL: 0000000000000000
DEBUG: peb.c:218:xGetLibAddress(): Dll not found. Loaded mscoree.dll via LoadLibrary at 0x00007FF8183B0000
DEBUG: peb.c:187:xGetLibAddress(): Searching for DLL in PEB: shell32.dll
DEBUG: peb.c:213:xGetLibAddress(): Address of DLL: 0000000000000000
DEBUG: peb.c:218:xGetLibAddress(): Dll not found. Loaded shell32.dll via LoadLibrary at 0x00007FF843680000
DEBUG: loader.c:203:MainProc(): Resolving 63 API
DEBUG: loader.c:206:MainProc(): Resolving API address for B8FEC1A5DF6AF617
DEBUG: loader.c:206:MainProc(): Resolving API address for 9B8273CBF1F8CB2F
DEBUG: loader.c:206:MainProc(): Resolving API address for 42711CB811A2E776
DEBUG: loader.c:206:MainProc(): Resolving API address for A48AAA89565858F7
DEBUG: loader.c:206:MainProc(): Resolving API address for EF553D8E03C74C82
DEBUG: loader.c:206:MainProc(): Resolving API address for 602366033C00A0B3
DEBUG: loader.c:206:MainProc(): Resolving API address for 6AD22F6136FB14FD
DEBUG: loader.c:206:MainProc(): Resolving API address for CBE439E0F37AAEBD
DEBUG: loader.c:206:MainProc(): Resolving API address for E77DFEC24629CF95
DEBUG: loader.c:206:MainProc(): Resolving API address for C48554C18E33252A
DEBUG: loader.c:206:MainProc(): Resolving API address for BE2B2A265E9C2258
DEBUG: loader.c:206:MainProc(): Resolving API address for 215C65924D68DAC7
DEBUG: loader.c:206:MainProc(): Resolving API address for B191D876400CD4BF
DEBUG: loader.c:206:MainProc(): Resolving API address for 8EC05CC4DA2114E1
DEBUG: loader.c:206:MainProc(): Resolving API address for D93339F4E5CC1A37
DEBUG: loader.c:206:MainProc(): Resolving API address for 9F62D868E859BFD9
DEBUG: loader.c:206:MainProc(): Resolving API address for 34EE41D5626FE262
DEBUG: loader.c:206:MainProc(): Resolving API address for D5ACF8EF8F896BE4
DEBUG: loader.c:206:MainProc(): Resolving API address for 960605E0A4B417B4
DEBUG: loader.c:206:MainProc(): Resolving API address for C946DBCF003DE294
DEBUG: loader.c:206:MainProc(): Resolving API address for 31A61E6288513978
DEBUG: loader.c:206:MainProc(): Resolving API address for 5C648D6AAB35D0CE
DEBUG: loader.c:206:MainProc(): Resolving API address for 583A6684749BB923
DEBUG: loader.c:206:MainProc(): Resolving API address for 9C3EDDC3EE852954
DEBUG: loader.c:206:MainProc(): Resolving API address for DDC4350C6E3413C9
DEBUG: loader.c:206:MainProc(): Resolving API address for 77D04F7F1E1717F0
DEBUG: loader.c:206:MainProc(): Resolving API address for FB2A4E7DA4C5FD23
DEBUG: loader.c:206:MainProc(): Resolving API address for 1276F5A840DAE095
DEBUG: loader.c:206:MainProc(): Resolving API address for 0FEDD0632D55374B
DEBUG: loader.c:206:MainProc(): Resolving API address for 7EC1B0F19AD7A299
DEBUG: loader.c:206:MainProc(): Resolving API address for C6C2A5020E5C1006
DEBUG: loader.c:206:MainProc(): Resolving API address for DC1FE6AF3D3E056D
DEBUG: loader.c:206:MainProc(): Resolving API address for 60B156584B2BC0F7
DEBUG: loader.c:206:MainProc(): Resolving API address for B5A6760D74A5F0A5
DEBUG: loader.c:206:MainProc(): Resolving API address for E4449831327088C2
DEBUG: loader.c:206:MainProc(): Resolving API address for 1679D62DD44DE558
DEBUG: loader.c:206:MainProc(): Resolving API address for 28F5894093B194AC
DEBUG: loader.c:206:MainProc(): Resolving API address for 065C9B4555AE1245
DEBUG: loader.c:206:MainProc(): Resolving API address for 6C0CA47E3A1642AD
DEBUG: loader.c:206:MainProc(): Resolving API address for FBEE4DC77784C8A4
DEBUG: loader.c:206:MainProc(): Resolving API address for E728F03A8EB8A0D8
DEBUG: loader.c:206:MainProc(): Resolving API address for 34086C47298D6BCB
DEBUG: loader.c:206:MainProc(): Resolving API address for B9357CE84A13D552
DEBUG: loader.c:206:MainProc(): Resolving API address for 977EFCAA7FDD0515
DEBUG: loader.c:206:MainProc(): Resolving API address for 85243C6FE59AE306
DEBUG: loader.c:206:MainProc(): Resolving API address for 5A63F1DD6D561D11
DEBUG: loader.c:206:MainProc(): Resolving API address for 7C5F848AE143FAE3
DEBUG: loader.c:206:MainProc(): Resolving API address for 242F8382755DBC7B
DEBUG: loader.c:206:MainProc(): Resolving API address for 71B8D50B695AB87E
DEBUG: loader.c:206:MainProc(): Resolving API address for F962773B547A060F
DEBUG: loader.c:206:MainProc(): Resolving API address for 46D80DA45C8ABE03
DEBUG: loader.c:206:MainProc(): Resolving API address for DE0C014F7C1B7967
DEBUG: loader.c:206:MainProc(): Resolving API address for 9B74A1977A276A8F
DEBUG: loader.c:206:MainProc(): Resolving API address for C0DA5CDA3F0E4F1B
DEBUG: loader.c:206:MainProc(): Resolving API address for 409F303B4F9FEB48
DEBUG: loader.c:206:MainProc(): Resolving API address for 6DDB7EC7337A30A1
DEBUG: loader.c:206:MainProc(): Resolving API address for 1D37073E82850F4E
DEBUG: loader.c:206:MainProc(): Resolving API address for AA377AAE3C5E2ABD
DEBUG: loader.c:206:MainProc(): Resolving API address for 4159309699554454
DEBUG: loader.c:206:MainProc(): Resolving API address for D44B82E52BC6F110
DEBUG: loader.c:206:MainProc(): Resolving API address for CE54C3360CC70AB9
DEBUG: loader.c:206:MainProc(): Resolving API address for 597C97A827799E9B
DEBUG: loader.c:238:MainProc(): Module is embedded.
DEBUG: peb.c:187:xGetLibAddress(): Searching for DLL in PEB: amsi.dll
DEBUG: peb.c:213:xGetLibAddress(): Address of DLL: 0000000000000000
DEBUG: peb.c:218:xGetLibAddress(): Dll not found. Loaded amsi.dll via LoadLibrary at 0x00007FF8301B0000
DEBUG: bypass.c:103:DisableAMSI(): Length of AmsiScanBufferStub is 36 bytes.
DEBUG: bypass.c:113:DisableAMSI(): Overwriting AmsiScanBuffer
DEBUG: bypass.c:128:DisableAMSI(): Length of AmsiScanStringStub is 36 bytes.
DEBUG: bypass.c:138:DisableAMSI(): Overwriting AmsiScanString
DEBUG: loader.c:246:MainProc(): DisableAMSI OK
DEBUG: loader.c:252:MainProc(): DisableWLDP OK
DEBUG: peb.c:187:xGetLibAddress(): Searching for DLL in PEB: ntdll.dll
DEBUG: peb.c:213:xGetLibAddress(): Address of DLL: 00007FF844610000
DEBUG: bypass.c:383:DisableETW(): Overwriting EtwEventWrite
DEBUG: loader.c:258:MainProc(): DisableETW OK
DEBUG: loader.c:311:MainProc(): Checking type of module
DEBUG: inmem_pe.c:114:RunPE(): Creating section of size 3919872 (0x3bd000) bytes for file
DEBUG: inmem_pe.c:127:RunPE(): Creating section to store PE.
DEBUG: inmem_pe.c:128:RunPE(): Requesting section size: 3919872
DEBUG: inmem_pe.c:131:RunPE(): NTSTATUS: 0
DEBUG: inmem_pe.c:182:RunPE(): Mapping local view of section to store PE.
DEBUG: inmem_pe.c:184:RunPE(): View size: 3919872
DEBUG: inmem_pe.c:188:RunPE(): NTSTATUS: 0
DEBUG: inmem_pe.c:191:RunPE(): Mapped to address: 000001C4351B0000
DEBUG: inmem_pe.c:211:RunPE(): Copying Headers
DEBUG: inmem_pe.c:212:RunPE(): nt->FileHeader.SizeOfOptionalHeader: 240
DEBUG: inmem_pe.c:213:RunPE(): nt->OptionalHeader.SizeOfHeaders: 1024
DEBUG: inmem_pe.c:215:RunPE(): Copying first section
DEBUG: inmem_pe.c:216:RunPE(): Copying 1024 bytes
DEBUG: inmem_pe.c:219:RunPE(): DOS Signature (Magic): 00005a4d, 000001C4351B0000
DEBUG: inmem_pe.c:220:RunPE(): NT Signature: 4550, 000001C4351B0108
DEBUG: inmem_pe.c:222:RunPE(): Updating ImageBase to final base address
DEBUG: inmem_pe.c:224:RunPE(): Updated ImageBase: 1942216179712X
DEBUG: inmem_pe.c:226:RunPE(): Copying each section to memory: 000001C4351B0000
DEBUG: inmem_pe.c:244:RunPE(): Copied section name: .text
DEBUG: inmem_pe.c:245:RunPE(): Copied section source offset: 0x1000
DEBUG: inmem_pe.c:246:RunPE(): Copied section dest offset: 0x400
DEBUG: inmem_pe.c:247:RunPE(): Copied section absolute address: 0x48
DEBUG: inmem_pe.c:248:RunPE(): Copied section size: 0x14D400
DEBUG: inmem_pe.c:244:RunPE(): Copied section name: .rdata
DEBUG: inmem_pe.c:245:RunPE(): Copied section source offset: 0x14F000
DEBUG: inmem_pe.c:246:RunPE(): Copied section dest offset: 0x14D800
DEBUG: inmem_pe.c:247:RunPE(): Copied section absolute address: 0x18
DEBUG: inmem_pe.c:248:RunPE(): Copied section size: 0xEEE00
DEBUG: inmem_pe.c:244:RunPE(): Copied section name: .data
DEBUG: inmem_pe.c:245:RunPE(): Copied section source offset: 0x23E000
DEBUG: inmem_pe.c:246:RunPE(): Copied section dest offset: 0x23C600
DEBUG: inmem_pe.c:247:RunPE(): Copied section absolute address: 0x80
DEBUG: inmem_pe.c:248:RunPE(): Copied section size: 0x1200
DEBUG: inmem_pe.c:244:RunPE(): Copied section name: .pdata
DEBUG: inmem_pe.c:245:RunPE(): Copied section source offset: 0x3AE000
DEBUG: inmem_pe.c:246:RunPE(): Copied section dest offset: 0x23D800
DEBUG: inmem_pe.c:247:RunPE(): Copied section absolute address: 0x0
DEBUG: inmem_pe.c:248:RunPE(): Copied section size: 0xC400
DEBUG: inmem_pe.c:244:RunPE(): Copied section name: _RDATA
DEBUG: inmem_pe.c:245:RunPE(): Copied section source offset: 0x3BB000
DEBUG: inmem_pe.c:246:RunPE(): Copied section dest offset: 0x249C00
DEBUG: inmem_pe.c:247:RunPE(): Copied section absolute address: 0x92
DEBUG: inmem_pe.c:248:RunPE(): Copied section size: 0x200
DEBUG: inmem_pe.c:244:RunPE(): Copied section name: .reloc
DEBUG: inmem_pe.c:245:RunPE(): Copied section source offset: 0x3BC000
DEBUG: inmem_pe.c:246:RunPE(): Copied section dest offset: 0x249E00
DEBUG: inmem_pe.c:247:RunPE(): Copied section absolute address: 0x0
DEBUG: inmem_pe.c:248:RunPE(): Copied section size: 0xE00
DEBUG: inmem_pe.c:251:RunPE(): Sections copied.
DEBUG: inmem_pe.c:254:RunPE(): Image Relocation Offset: 0x000001C2F51B0000
DEBUG: inmem_pe.c:257:RunPE(): Applying Relocations
DEBUG: inmem_pe.c:291:RunPE(): Processing the Import Table
DEBUG: peb.c:187:xGetLibAddress(): Searching for DLL in PEB: ADVAPI32.dll
DEBUG: peb.c:213:xGetLibAddress(): Address of DLL: 00007FF843F00000
DEBUG: peb.c:187:xGetLibAddress(): Searching for DLL in PEB: CRYPTBASE.dll
DEBUG: peb.c:213:xGetLibAddress(): Address of DLL: 0000000000000000
DEBUG: peb.c:218:xGetLibAddress(): Dll not found. Loaded CRYPTBASE.dll via LoadLibrary at 0x00007FF841160000
DEBUG: peb.c:67:FindReference(): Calling GetProcAddress(SystemFunction036)
DEBUG: peb.c:187:xGetLibAddress(): Searching for DLL in PEB: KERNEL32.dll
DEBUG: peb.c:213:xGetLibAddress(): Address of DLL: 00007FF843FC0000
DEBUG: peb.c:187:xGetLibAddress(): Searching for DLL in PEB: dbghelp.dll
DEBUG: peb.c:213:xGetLibAddress(): Address of DLL: 0000000000000000
DEBUG: peb.c:218:xGetLibAddress(): Dll not found. Loaded dbghelp.dll via LoadLibrary at 0x00007FF833AF0000
DEBUG: inmem_pe.c:384:RunPE(): Wiping Headers from memory
DEBUG: inmem_pe.c:399:RunPE(): Unmapping temporary local view of section to persist changes.
DEBUG: inmem_pe.c:401:RunPE(): NTSTATUS: 0
DEBUG: inmem_pe.c:406:RunPE(): No relocation information present, so using preferred address...
DEBUG: inmem_pe.c:411:RunPE(): Mapping writecopy local view of section to execute PE.
DEBUG: inmem_pe.c:413:RunPE(): View size: 3919872
DEBUG: inmem_pe.c:414:RunPE(): NTSTATUS: 0
DEBUG: inmem_pe.c:417:RunPE(): Mapped to address: 000001C4351B0000
DEBUG: inmem_pe.c:422:RunPE(): Pre-marking module as WC to avoid padding between PE sections staying RWX.
DEBUG: inmem_pe.c:425:RunPE(): Setting permissions for each PE section
DEBUG: inmem_pe.c:458:RunPE(): Section name: .text
DEBUG: inmem_pe.c:459:RunPE(): Section offset: 0x1000
DEBUG: inmem_pe.c:460:RunPE(): Section absolute address: 0x000001C4351B1000
DEBUG: inmem_pe.c:461:RunPE(): Section size: 0x14E000
DEBUG: inmem_pe.c:462:RunPE(): Section protections: 0x20
DEBUG: inmem_pe.c:458:RunPE(): Section name: .rdata
DEBUG: inmem_pe.c:459:RunPE(): Section offset: 0x14F000
DEBUG: inmem_pe.c:460:RunPE(): Section absolute address: 0x000001C4352FF000
DEBUG: inmem_pe.c:461:RunPE(): Section size: 0xEF000
DEBUG: inmem_pe.c:462:RunPE(): Section protections: 0x2
DEBUG: inmem_pe.c:458:RunPE(): Section name: .data
DEBUG: inmem_pe.c:459:RunPE(): Section offset: 0x23E000
DEBUG: inmem_pe.c:460:RunPE(): Section absolute address: 0x000001C4353EE000
DEBUG: inmem_pe.c:461:RunPE(): Section size: 0x170000
DEBUG: inmem_pe.c:462:RunPE(): Section protections: 0x8
DEBUG: inmem_pe.c:458:RunPE(): Section name: .pdata
DEBUG: inmem_pe.c:459:RunPE(): Section offset: 0x3AE000
DEBUG: inmem_pe.c:460:RunPE(): Section absolute address: 0x000001C43555E000
DEBUG: inmem_pe.c:461:RunPE(): Section size: 0xD000
DEBUG: inmem_pe.c:462:RunPE(): Section protections: 0x2
DEBUG: inmem_pe.c:458:RunPE(): Section name: _RDATA
DEBUG: inmem_pe.c:459:RunPE(): Section offset: 0x3BB000
DEBUG: inmem_pe.c:460:RunPE(): Section absolute address: 0x000001C43556B000
DEBUG: inmem_pe.c:461:RunPE(): Section size: 0x1000
DEBUG: inmem_pe.c:462:RunPE(): Section protections: 0x2
DEBUG: inmem_pe.c:458:RunPE(): Section name: .reloc
DEBUG: inmem_pe.c:459:RunPE(): Section offset: 0x3BC000
DEBUG: inmem_pe.c:460:RunPE(): Section absolute address: 0x000001C43556C000
DEBUG: inmem_pe.c:461:RunPE(): Section size: 0xE00
DEBUG: inmem_pe.c:462:RunPE(): Section protections: 0x2
DEBUG: inmem_pe.c:469:RunPE(): Setting permissions of module headers to READONLY (4096 bytes)
DEBUG: inmem_pe.c:580:RunPE(): Executing entrypoint: 000001C435271F04
Hello,
First of all thank you for this amazing tool.
I'm struggling to create a shellcode from a binary compiled using the Crystal programming language (https://crystal-lang.org/). Crystal is a recent compiled language, as I understood the code is translated to LLVM, and then compiled (using MSVC in my case) (ref: https://crystal-lang.org/2015/03/04/internals/).
Here is the source code of my Crystal program:
The code itself is working, and I tried with a "normal" C program and Donut is working fine, here is all the steps I take:
1) I compile my Crystal binary using this command:
crystal.exe build -d .\test.cr
, this produce a binary calledtest.exe
, this binary has a.reloc
section and I enabled the debug build using the-d
flag. 2) I use donut like this:.\donut.exe -i .\test.exe
, this gives me a file calledloader.bin
3) I then try to use this shellcode with the default shellcode runner:.\inject_local.exe ..\loader.bin
, but no file are createdIf you want I can provide you a binary directly, and if you don't want to spend time on this issue I will understand, Crystal is not yet very well known, and I understand you will not try to support all languages of the world.
Regards.