Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters
BSD 3-Clause "New" or "Revised" License
3.53k
stars
628
forks
source link
Add syscalls, improve relocation and TLS callbacks support #97
Hello!
I made a few contributions, almost exclusively to the loader and specifically to inmem_pe.c:
Added syscalls
Now direct system calls are used for most operations. Both x64 and x86 are supported (WoW64 is not),
I also deleted some of the APIs that are not used anymore like VirtualAlloc (given that we now use their syscall-counterpart like NtAllocateVirtualMemory)
Improved relocations support
I added support for more relocation "types", namely to:
IMAGE_REL_BASED_HIGHLOW
IMAGE_REL_BASED_HIGH
IMAGE_REL_BASED_LOW
This should increase the number of binaries that donut now supports.
Fixed bug in TLS callbacks
I found that nanodump failed while calling its TLS callbacks.
This was fixed by simply calling them after all the memory permissions have been properly set, so I simply moved the TLS logic further down the code.
Add support for binaries with no relocation information
If a binary does not have a relocation directory, then we simply load it on its preferred base address.
Fun fact, Cobalt Strike's beacon does not have a reloc directory, so donut now supports cobalt 😄
Fixed a few minor compiler bugs, including the python module
Nothing too special here
I hope you will consider adding this changes.
I absolutely love this project, truly amazing work!
Hello! I made a few contributions, almost exclusively to the loader and specifically to
inmem_pe.c:Added syscalls
Now direct system calls are used for most operations. Both x64 and x86 are supported (WoW64 is not),
I also deleted some of the APIs that are not used anymore like
VirtualAlloc(given that we now use their syscall-counterpart likeNtAllocateVirtualMemory)Improved relocations support
I added support for more relocation "types", namely to:
This should increase the number of binaries that donut now supports.
Fixed bug in TLS callbacks
I found that nanodump failed while calling its TLS callbacks.
This was fixed by simply calling them after all the memory permissions have been properly set, so I simply moved the TLS logic further down the code.
Add support for binaries with no relocation information
If a binary does not have a relocation directory, then we simply load it on its preferred base address.
Fun fact, Cobalt Strike's beacon does not have a reloc directory, so donut now supports cobalt 😄
Fixed a few minor compiler bugs, including the python module
Nothing too special here
I hope you will consider adding this changes.
I absolutely love this project, truly amazing work!