Covert PE payload allocation

TheWover / donut

Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters

BSD 3-Clause "New" or "Revised" License

3.53k stars 628 forks source link

Covert PE payload allocation #69

Closed TheWover closed 1 year ago

TheWover commented 3 years ago

Multiple people have requested that we use a more covert mechanism for loading PE payloads. For the next version of Donut, research options and choose one (or multiple and expose the options to the user). The current idea is to use Module Overloading / Phantom DLL Hollowing.

TheWover commented 1 year ago

Version 1.0 will feature Module Overloading with a decoy module on disk.