Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters
Add an option to Donut that will use Module Overloading to map a PE payload into memory backed by a legit file on disk. Additionally, only copy the sections required so that the PE headers of the file on disk remain. That way the module overloading cannot be detected by comparing PE headers of files in memory to their file on disk. If the destroy option (whether to destroy PE headers) is off, then copy the payload's PE headers. Once the payload is mapped via module overloading, link it to the list of loaded modules via the PEB so that it cannot be detected by looking for modules in memory that are not in the list of loaded modules.
Add an option to Donut that will use Module Overloading to map a PE payload into memory backed by a legit file on disk. Additionally, only copy the sections required so that the PE headers of the file on disk remain. That way the module overloading cannot be detected by comparing PE headers of files in memory to their file on disk. If the destroy option (whether to destroy PE headers) is off, then copy the payload's PE headers. Once the payload is mapped via module overloading, link it to the list of loaded modules via the PEB so that it cannot be detected by looking for modules in memory that are not in the list of loaded modules.