Handle machine mismatch with IL_ONLY assemblies

TheWover / donut

Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters

BSD 3-Clause "New" or "Revised" License

3.38k stars 610 forks source link

Handle machine mismatch with IL_ONLY assemblies #126

Open jackullrich opened 1 year ago

jackullrich commented 1 year ago

Hello, thanks for creating donut.

I was running some x64 donut shellcode from the context of an IL Only (AnyCpu) PE32 .NET assembly on a 64-bit machine. The shellcode would not complete execution.

Digging a bit deeper, I discovered it was returning prematurely from here: https://github.com/TheWover/donut/blob/master/loader/inmem_pe.c#L107

IL Only images are PE32 on disk but may be transformed to PE32+ in memory by _CorValidateImage.

I have added a small fix to handle this case.

Thanks!

roachadam commented 1 year ago

good find

kiwids0220 commented 5 months ago

this just saved my life, it needs to be merged! 👍