v0.9 Release

DemoCreateProcess/Class1.cs

@@ -0,0 +1,10 @@
+using System.Diagnostics;
+
+public class TestClass
+{
+    public static void RunProcess(string path, string path2)
+    {
+        Process.Start(path);
+        Process.Start(path2);
+    }
+}

DemoCreateProcess/DemoCreateProcess.csproj

@@ -0,0 +1,54 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
+  <PropertyGroup>
+    <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
+    <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
+    <ProjectGuid>4fcdf3a3-aeef-43ea-9297-0d3bde3bdad2</ProjectGuid>
+    <OutputType>Library</OutputType>
+    <AppDesignerFolder>Properties</AppDesignerFolder>
+    <RootNamespace>DemoCreateProcess</RootNamespace>
+    <AssemblyName>DemoCreateProcess</AssemblyName>
+    <TargetFrameworkVersion>v4.7.2</TargetFrameworkVersion>
+    <FileAlignment>512</FileAlignment>
+    <Deterministic>true</Deterministic>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
+    <DebugSymbols>true</DebugSymbols>
+    <DebugType>full</DebugType>
+    <Optimize>false</Optimize>
+    <OutputPath>bin\Debug\</OutputPath>
+    <DefineConstants>DEBUG;TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
+    <DebugType>pdbonly</DebugType>
+    <Optimize>true</Optimize>
+    <OutputPath>bin\Release\</OutputPath>
+    <DefineConstants>TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+  </PropertyGroup>
+  <ItemGroup>
+    <Reference Include="System"/>
+    
+    <Reference Include="System.Core"/>
+    <Reference Include="System.Xml.Linq"/>
+    <Reference Include="System.Data.DataSetExtensions"/>
+    
+    
+    <Reference Include="Microsoft.CSharp"/>
+    
+    <Reference Include="System.Data"/>
+    
+    <Reference Include="System.Net.Http"/>
+    
+    <Reference Include="System.Xml"/>
+  </ItemGroup>
+  <ItemGroup>
+    <Compile Include="Class1.cs" />
+    <Compile Include="Properties\AssemblyInfo.cs" />
+  </ItemGroup>
+  <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
+ </Project>

DemoCreateProcess/Properties/AssemblyInfo.cs

@@ -0,0 +1,36 @@
+using System.Reflection;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
+
+// General Information about an assembly is controlled through the following
+// set of attributes. Change these attribute values to modify the information
+// associated with an assembly.
+[assembly: AssemblyTitle("DemoCreateProcess")]
+[assembly: AssemblyDescription("")]
+[assembly: AssemblyConfiguration("")]
+[assembly: AssemblyCompany("")]
+[assembly: AssemblyProduct("DemoCreateProcess")]
+[assembly: AssemblyCopyright("Copyright ©  2019")]
+[assembly: AssemblyTrademark("")]
+[assembly: AssemblyCulture("")]
+
+// Setting ComVisible to false makes the types in this assembly not visible
+// to COM components.  If you need to access a type in this assembly from
+// COM, set the ComVisible attribute to true on that type.
+[assembly: ComVisible(false)]
+
+// The following GUID is for the ID of the typelib if this project is exposed to COM
+[assembly: Guid("4fcdf3a3-aeef-43ea-9297-0d3bde3bdad2")]
+
+// Version information for an assembly consists of the following four values:
+//
+//      Major Version
+//      Minor Version
+//      Build Number
+//      Revision
+//
+// You can specify all the values or you can default the Build and Revision Numbers
+// by using the '*' as shown below:
+// [assembly: AssemblyVersion("1.0.*")]
+[assembly: AssemblyVersion("1.0.0.0")]
+[assembly: AssemblyFileVersion("1.0.0.0")]

DemoCreateProcess/Readme.md

@@ -0,0 +1,15 @@
+# DemoCreateProcess
+
+A simple C# program to use as a demo for testing shellcode. It takes two program names (such as notepad.exe,calc.exe) as parameters. You may generate shellcode for it using donut:
+
+64-bit:
+
+```
+.\donut.exe -f .\DemoCreateProcess\bin\Release\DemoCreateProcess.dll -c TestClass -m RunProcess -p notepad.exe,calc.exe
+```
+
+32-bit:
+
+```
+.\donut.exe -a 1 -f .\DemoCreateProcess\bin\Release\DemoCreateProcess.dll -c TestClass -m RunProcess -p notepad.exe,calc.exe 
+```

DemoCreateProcess/obj/Debug/DemoCreateProcess.csproj.CoreCompileInputs.cache

@@ -0,0 +1 @@
+20aa3d26a13fb1291e01472779ad5639d5ab4c7d

DemoCreateProcess/obj/Debug/DemoCreateProcess.csproj.FileListAbsolute.txt

@@ -0,0 +1,6 @@
+C:\Users\Shawn\Documents\GitHub\donut\DemoCreateProcess\bin\Debug\DemoCreateProcess.dll
+C:\Users\Shawn\Documents\GitHub\donut\DemoCreateProcess\bin\Debug\DemoCreateProcess.pdb
+C:\Users\Shawn\Documents\GitHub\donut\DemoCreateProcess\obj\Debug\DemoCreateProcess.csprojAssemblyReference.cache
+C:\Users\Shawn\Documents\GitHub\donut\DemoCreateProcess\obj\Debug\DemoCreateProcess.csproj.CoreCompileInputs.cache
+C:\Users\Shawn\Documents\GitHub\donut\DemoCreateProcess\obj\Debug\DemoCreateProcess.dll
+C:\Users\Shawn\Documents\GitHub\donut\DemoCreateProcess\obj\Debug\DemoCreateProcess.pdb

DemoCreateProcess/obj/Release/DemoCreateProcess.csproj.CoreCompileInputs.cache

@@ -0,0 +1 @@
+20aa3d26a13fb1291e01472779ad5639d5ab4c7d

DemoCreateProcess/obj/Release/DemoCreateProcess.csproj.FileListAbsolute.txt

@@ -0,0 +1,5 @@
+C:\Users\Shawn\Documents\GitHub\donut\DemoCreateProcess\bin\Release\DemoCreateProcess.dll
+C:\Users\Shawn\Documents\GitHub\donut\DemoCreateProcess\bin\Release\DemoCreateProcess.pdb
+C:\Users\Shawn\Documents\GitHub\donut\DemoCreateProcess\obj\Release\DemoCreateProcess.csproj.CoreCompileInputs.cache
+C:\Users\Shawn\Documents\GitHub\donut\DemoCreateProcess\obj\Release\DemoCreateProcess.dll
+C:\Users\Shawn\Documents\GitHub\donut\DemoCreateProcess\obj\Release\DemoCreateProcess.pdb

DonutTest/App.config

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<configuration>
+    <startup> 
+        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2"/>
+    </startup>
+</configuration>

DonutTest/DonutTest.csproj

@@ -0,0 +1,55 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
+  <PropertyGroup>
+    <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
+    <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
+    <ProjectGuid>{3C9A6B88-BED2-4BA8-964C-77EC29BF1846}</ProjectGuid>
+    <OutputType>Exe</OutputType>
+    <RootNamespace>DonutTest</RootNamespace>
+    <AssemblyName>DonutTest</AssemblyName>
+    <TargetFrameworkVersion>v4.7.2</TargetFrameworkVersion>
+    <FileAlignment>512</FileAlignment>
+    <AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects>
+    <Deterministic>true</Deterministic>
+    <TargetFrameworkProfile />
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
+    <PlatformTarget>AnyCPU</PlatformTarget>
+    <DebugSymbols>true</DebugSymbols>
+    <DebugType>full</DebugType>
+    <Optimize>false</Optimize>
+    <OutputPath>bin\Debug\</OutputPath>
+    <DefineConstants>DEBUG;TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
+    <PlatformTarget>AnyCPU</PlatformTarget>
+    <DebugType>pdbonly</DebugType>
+    <Optimize>true</Optimize>
+    <OutputPath>bin\Release\</OutputPath>
+    <DefineConstants>TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+    <Prefer32Bit>false</Prefer32Bit>
+  </PropertyGroup>
+  <ItemGroup>
+    <Reference Include="System" />
+    <Reference Include="System.Core" />
+    <Reference Include="System.Xml.Linq" />
+    <Reference Include="System.Data.DataSetExtensions" />
+    <Reference Include="Microsoft.CSharp" />
+    <Reference Include="System.Data" />
+    <Reference Include="System.Net.Http" />
+    <Reference Include="System.Xml" />
+  </ItemGroup>
+  <ItemGroup>
+    <Compile Include="Program.cs" />
+    <Compile Include="Properties\AssemblyInfo.cs" />
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="App.config" />
+  </ItemGroup>
+  <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
+</Project>

DonutTest/DonutTest.sln

@@ -0,0 +1,31 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 15
+VisualStudioVersion = 15.0.28307.136
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "DonutTest", "DonutTest.csproj", "{3C9A6B88-BED2-4BA8-964C-77EC29BF1846}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "DemoCreateProcess", "..\DemoCreateProcess\DemoCreateProcess.csproj", "{4FCDF3A3-AEEF-43EA-9297-0D3BDE3BDAD2}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
+		Release|Any CPU = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{3C9A6B88-BED2-4BA8-964C-77EC29BF1846}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{3C9A6B88-BED2-4BA8-964C-77EC29BF1846}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{3C9A6B88-BED2-4BA8-964C-77EC29BF1846}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{3C9A6B88-BED2-4BA8-964C-77EC29BF1846}.Release|Any CPU.Build.0 = Release|Any CPU
+		{4FCDF3A3-AEEF-43EA-9297-0D3BDE3BDAD2}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{4FCDF3A3-AEEF-43EA-9297-0D3BDE3BDAD2}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{4FCDF3A3-AEEF-43EA-9297-0D3BDE3BDAD2}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{4FCDF3A3-AEEF-43EA-9297-0D3BDE3BDAD2}.Release|Any CPU.Build.0 = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {E91D143E-AB90-41D2-942F-D3F1DC8352F3}
+	EndGlobalSection
+EndGlobal

DonutTest/Hello.cs

@@ -0,0 +1,12 @@
+// A Hello World! program in C#.
+using System;
+namespace HelloWorld
+{
+    class Hello 
+    {
+        static void Main() 
+        {
+            Console.WriteLine("Hello World!");
+        }
+    }
+}

DonutTest/Properties/AssemblyInfo.cs

@@ -0,0 +1,36 @@
+using System.Reflection;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
+
+// General Information about an assembly is controlled through the following
+// set of attributes. Change these attribute values to modify the information
+// associated with an assembly.
+[assembly: AssemblyTitle("DonutTest")]
+[assembly: AssemblyDescription("")]
+[assembly: AssemblyConfiguration("")]
+[assembly: AssemblyCompany("")]
+[assembly: AssemblyProduct("DonutTest")]
+[assembly: AssemblyCopyright("Copyright ©  2019")]
+[assembly: AssemblyTrademark("")]
+[assembly: AssemblyCulture("")]
+
+// Setting ComVisible to false makes the types in this assembly not visible
+// to COM components.  If you need to access a type in this assembly from
+// COM, set the ComVisible attribute to true on that type.
+[assembly: ComVisible(false)]
+
+// The following GUID is for the ID of the typelib if this project is exposed to COM
+[assembly: Guid("3c9a6b88-bed2-4ba8-964c-77ec29bf1846")]
+
+// Version information for an assembly consists of the following four values:
+//
+//      Major Version
+//      Minor Version
+//      Build Number
+//      Revision
+//
+// You can specify all the values or you can default the Build and Revision Numbers
+// by using the '*' as shown below:
+// [assembly: AssemblyVersion("1.0.*")]
+[assembly: AssemblyVersion("1.0.0.0")]
+[assembly: AssemblyFileVersion("1.0.0.0")]

DonutTest/Readme.md

@@ -0,0 +1,18 @@
+# DonutTest
+
+A simple C# shellcode remote injector to use in testing donut. It contains both x86 and x64 versions of the shellcode, determines the architecture of the target process, and then injects the appropriate version into that process with CreateRemoteThread. The shellcode must be Base64-encoded and dropped into the code as a string. This ensures that it can be run entirely from memory.
+
+You may Base64-encode your shellcode and copy it to your clipboard with the PowerShell below:
+
+```powershell
+$filename = "C:\\Test\donut\\payload.bin"
+[Convert]::ToBase64String([IO.File]::ReadAllBytes($filename)) | clip
+```
+
+```
+Usage:
+
+DonutTest.exe [PID]
+
+If no PID is specified, then DonutTest will inject the shellcode into itself.
+```

DonutTest/bin/Debug/DonutTest.exe.config

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<configuration>
+    <startup> 
+        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2"/>
+    </startup>
+</configuration>

DonutTest/bin/Release/DonutTest.exe.config

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<configuration>
+    <startup> 
+        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2"/>
+    </startup>
+</configuration>

DonutTest/obj/Debug/DonutTest.csproj.CoreCompileInputs.cache

@@ -0,0 +1 @@
+f54cb5c37947e63828de93d9fb7ef57b09863163

DonutTest/obj/Debug/DonutTest.csproj.FileListAbsolute.txt

@@ -0,0 +1,14 @@
+C:\Users\Shawn\source\repos\DonutTest\bin\Debug\DonutTest.exe.config
+C:\Users\Shawn\source\repos\DonutTest\bin\Debug\DonutTest.exe
+C:\Users\Shawn\source\repos\DonutTest\bin\Debug\DonutTest.pdb
+C:\Users\Shawn\source\repos\DonutTest\obj\Debug\DonutTest.csprojAssemblyReference.cache
+C:\Users\Shawn\source\repos\DonutTest\obj\Debug\DonutTest.csproj.CoreCompileInputs.cache
+C:\Users\Shawn\source\repos\DonutTest\obj\Debug\DonutTest.exe
+C:\Users\Shawn\source\repos\DonutTest\obj\Debug\DonutTest.pdb
+C:\Users\Shawn\Documents\GitHub\donut\DonutTest\bin\Debug\DonutTest.exe.config
+C:\Users\Shawn\Documents\GitHub\donut\DonutTest\bin\Debug\DonutTest.exe
+C:\Users\Shawn\Documents\GitHub\donut\DonutTest\bin\Debug\DonutTest.pdb
+C:\Users\Shawn\Documents\GitHub\donut\DonutTest\obj\Debug\DonutTest.csprojAssemblyReference.cache
+C:\Users\Shawn\Documents\GitHub\donut\DonutTest\obj\Debug\DonutTest.csproj.CoreCompileInputs.cache
+C:\Users\Shawn\Documents\GitHub\donut\DonutTest\obj\Debug\DonutTest.exe
+C:\Users\Shawn\Documents\GitHub\donut\DonutTest\obj\Debug\DonutTest.pdb

DonutTest/obj/Debug/project.razor.json

@@ -0,0 +1,14 @@
+{
+  "ProjectFilePath": "c:\\Users\\Shawn\\Documents\\GitHub\\donut\\DonutTest\\DonutTest.csproj",
+  "TargetFramework": "v4.7.2",
+  "TagHelpers": [],
+  "Configuration": {
+    "ConfigurationName": "UnsupportedRazor",
+    "LanguageVersion": "1.0",
+    "Extensions": [
+      {
+        "ExtensionName": "UnsupportedRazorExtension"
+      }
+    ]
+  }
+}

DonutTest/obj/Release/DonutTest.csproj.CoreCompileInputs.cache

@@ -0,0 +1 @@
+f54cb5c37947e63828de93d9fb7ef57b09863163

DonutTest/obj/Release/DonutTest.csproj.FileListAbsolute.txt

@@ -0,0 +1,14 @@
+C:\Users\Shawn\source\repos\DonutTest\bin\Release\DonutTest.exe.config
+C:\Users\Shawn\source\repos\DonutTest\bin\Release\DonutTest.exe
+C:\Users\Shawn\source\repos\DonutTest\bin\Release\DonutTest.pdb
+C:\Users\Shawn\source\repos\DonutTest\obj\Release\DonutTest.csproj.CoreCompileInputs.cache
+C:\Users\Shawn\source\repos\DonutTest\obj\Release\DonutTest.exe
+C:\Users\Shawn\source\repos\DonutTest\obj\Release\DonutTest.pdb
+C:\Users\Shawn\source\repos\DonutTest\obj\Release\DonutTest.csprojAssemblyReference.cache
+C:\Users\Shawn\Documents\GitHub\donut\DonutTest\bin\Release\DonutTest.exe.config
+C:\Users\Shawn\Documents\GitHub\donut\DonutTest\bin\Release\DonutTest.exe
+C:\Users\Shawn\Documents\GitHub\donut\DonutTest\bin\Release\DonutTest.pdb
+C:\Users\Shawn\Documents\GitHub\donut\DonutTest\obj\Release\DonutTest.csprojAssemblyReference.cache
+C:\Users\Shawn\Documents\GitHub\donut\DonutTest\obj\Release\DonutTest.csproj.CoreCompileInputs.cache
+C:\Users\Shawn\Documents\GitHub\donut\DonutTest\obj\Release\DonutTest.exe
+C:\Users\Shawn\Documents\GitHub\donut\DonutTest\obj\Release\DonutTest.pdb

DonutTest/rundotnet.cpp

@@ -0,0 +1,146 @@
+/**
+  BSD 3-Clause License
+
+  Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
+
+  Redistribution and use in source and binary forms, with or without
+  modification, are permitted provided that the following conditions are met:
+
+  * Redistributions of source code must retain the above copyright notice, this
+    list of conditions and the following disclaimer.
+
+  * Redistributions in binary form must reproduce the above copyright notice,
+    this list of conditions and the following disclaimer in the documentation
+    and/or other materials provided with the distribution.
+
+  * Neither the name of the copyright holder nor the names of its
+    contributors may be used to endorse or promote products derived from
+    this software without specific prior written permission.
+
+  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+  FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+  DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+  CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+  OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+  OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+#include <windows.h>
+#include <oleauto.h>
+#include <mscoree.h>
+#include <comdef.h>
+
+#include <cstdio>
+#include <cstdint>
+#include <cstring>
+#include <cstdlib>
+#include <sys/stat.h>
+
+#pragma comment(lib, "mscoree.lib")
+#import "mscorlib.tlb" raw_interfaces_only
+
+void rundotnet(void *code, size_t len) {
+    HRESULT                  hr;
+    ICorRuntimeHost          *icrh;
+    IUnknownPtr              iu;
+    mscorlib::_AppDomainPtr  ad;
+    mscorlib::_AssemblyPtr   as;
+    mscorlib::_MethodInfoPtr mi;
+    VARIANT                  v1, v2;
+    SAFEARRAY                *sa;
+    SAFEARRAYBOUND           sab;
+    
+    printf("CorBindToRuntime(ICorRuntimeHost).\n");    
+    hr = CorBindToRuntime(
+      NULL,  // load latest runtime version available
+      NULL,  // load workstation build
+      CLSID_CorRuntimeHost,
+      IID_ICorRuntimeHost,
+      (LPVOID*)&icrh);
+      
+    if(FAILED(hr)) return;
+    
+    printf("ICorRuntimeHost::Start()\n");
+    hr = icrh->Start();
+    if(SUCCEEDED(hr)) {
+      printf("ICorRuntimeHost::GetDefaultDomain()\n");
+      hr = icrh->GetDefaultDomain(&iu);
+      if(SUCCEEDED(hr)) {
+        printf("IUnknown::QueryInterface()\n");
+        hr = iu->QueryInterface(IID_PPV_ARGS(&ad));
+        if(SUCCEEDED(hr)) {
+          sab.lLbound   = 0;
+          sab.cElements = len;
+          printf("SafeArrayCreate()\n");
+          sa = SafeArrayCreate(VT_UI1, 1, &sab);
+          if(sa != NULL) {
+            CopyMemory(sa->pvData, code, len);
+            printf("AppDomain::Load_3()\n");
+            hr = ad->Load_3(sa, &as);
+            if(SUCCEEDED(hr)) {
+              printf("Assembly::get_EntryPoint()\n");
+              hr = as->get_EntryPoint(&mi);
+              if(SUCCEEDED(hr)) {
+                v1.vt    = VT_NULL;
+                v1.plVal = NULL;
+                printf("MethodInfo::Invoke_3()\n");
+                hr = mi->Invoke_3(v1, NULL, &v2);
+                mi->Release();
+              }
+              as->Release();
+            }
+            SafeArrayDestroy(sa);
+          }
+          ad->Release();
+        }
+        iu->Release();
+      }
+      icrh->Stop();
+    }
+    icrh->Release();
+}
+
+int main(int argc, char *argv[])
+{
+    void *mem;
+    struct stat fs;
+    FILE *fd;
+    
+    if(argc != 2) {
+      printf("usage: rundotnet <.NET assembly>\n");
+      return 0;
+    }
+    
+    // 1. get the size of file
+    stat(argv[1], &fs);
+    
+    if(fs.st_size == 0) {
+      printf("file is empty.\n");
+      return 0;
+    }
+    
+    // 2. try open assembly
+    fd = fopen(argv[1], "rb");
+    if(fd == NULL) {
+      printf("unable to open \"%s\".\n", argv[1]);
+      return 0;
+    }
+    // 3. allocate memory 
+    mem = malloc(fs.st_size);
+    if(mem != NULL) {
+      // 4. read file into memory
+      fread(mem, 1, fs.st_size, fd);
+      // 5. run the program from memory
+      rundotnet(mem, fs.st_size);
+      // 6. free memory
+      free(mem);
+    }
+    // 7. close assembly
+    fclose(fd);
+    
+    return 0;
+}

LICENSE

@@ -0,0 +1,28 @@
+BSD 3-Clause License
+
+Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice, this
+  list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright notice,
+  this list of conditions and the following disclaimer in the documentation
+  and/or other materials provided with the distribution.
+
+* Neither the name of the copyright holder nor the names of its
+  contributors may be used to endorse or promote products derived from
+  this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Makefile

@@ -0,0 +1,9 @@
+donut:
+	gcc -Wall -fpack-struct=8 -DDONUT_EXE -I include donut.c hash.c encrypt.c -odonut
+	gcc -Wall -c -fpack-struct=8 -fPIC -I include donut.c hash.c encrypt.c
+	ar rcs lib/libdonut.a donut.o hash.o encrypt.o
+	gcc -Wall -shared -o lib/libdonut.so donut.o hash.o encrypt.o
+debug:
+	gcc -Wall -Wno-format -fpack-struct=8 -DDEBUG -DDONUT_EXE -I include donut.c hash.c encrypt.c -odonut
+clean:
+	rm *.o donut lib/libdonut.a lib/libdonut.so

Makefile.mingw

@@ -0,0 +1,6 @@
+donut:
+	x86_64-w64-mingw32-gcc -Wall -fpack-struct=8 -DDONUT_EXE -I include donut.c hash.c encrypt.c -odonut.exe
+debug:
+	x86_64-w64-mingw32-gcc -Wall -Wno-format -fpack-struct=8 -DDEBUG -DDONUT_EXE -I include donut.c hash.c encrypt.c -odonut.exe
+clean:
+	rm donut.exe *.o

Makefile.msvc

@@ -0,0 +1,10 @@
+donut:
+  cl -Zp8 -nologo -DDONUT_EXE -I include donut.c hash.c encrypt.c
+  cl -Zp8 -nologo -DDLL -LD -I include donut.c hash.c encrypt.c
+  move donut.lib lib/donut.lib
+  move donut.exp lib/donut.exp
+  move donut.dll lib/donut.dll
+debug:
+  cl -Zp8 -nologo -DDEBUG -DDONUT_EXE -I include donut.c hash.c encrypt.c
+clean:
+  del *.obj *.bin donut.exe lib/donut.exp lib/donut.lib lib/donut.dll

ModuleMonitor/LICENSE

@@ -0,0 +1,29 @@
+BSD 3-Clause License
+
+Copyright (c) 2019, TheWover
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its
+   contributors may be used to endorse or promote products derived from
+   this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

ModuleMonitor/ModuleMonitor.csproj

@@ -0,0 +1,58 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
+  <PropertyGroup>
+    <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
+    <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
+    <ProjectGuid>{361C69F5-7885-4931-949A-B91EEAB170E3}</ProjectGuid>
+    <OutputType>Exe</OutputType>
+    <RootNamespace>ModuleMonitor</RootNamespace>
+    <AssemblyName>ModuleMonitor</AssemblyName>
+    <TargetFrameworkVersion>v4.7.2</TargetFrameworkVersion>
+    <FileAlignment>512</FileAlignment>
+    <Deterministic>true</Deterministic>
+    <TargetFrameworkProfile />
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
+    <PlatformTarget>AnyCPU</PlatformTarget>
+    <DebugSymbols>true</DebugSymbols>
+    <DebugType>full</DebugType>
+    <Optimize>false</Optimize>
+    <OutputPath>bin\Debug\</OutputPath>
+    <DefineConstants>DEBUG;TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+    <Prefer32Bit>false</Prefer32Bit>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
+    <PlatformTarget>AnyCPU</PlatformTarget>
+    <DebugType>pdbonly</DebugType>
+    <Optimize>true</Optimize>
+    <OutputPath>bin\Release\</OutputPath>
+    <DefineConstants>TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+    <Prefer32Bit>false</Prefer32Bit>
+  </PropertyGroup>
+  <PropertyGroup>
+    <ApplicationManifest>app.manifest</ApplicationManifest>
+  </PropertyGroup>
+  <ItemGroup>
+    <Reference Include="System" />
+    <Reference Include="System.Core" />
+    <Reference Include="System.Management" />
+    <Reference Include="System.Xml.Linq" />
+    <Reference Include="System.Data.DataSetExtensions" />
+    <Reference Include="System.Data" />
+    <Reference Include="System.Xml" />
+  </ItemGroup>
+  <ItemGroup>
+    <Compile Include="Program.cs" />
+    <Compile Include="Properties\AssemblyInfo.cs" />
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="app.config" />
+    <None Include="app.manifest" />
+  </ItemGroup>
+  <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
+</Project>

ModuleMonitor/ModuleMonitor.csproj.user

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|AnyCPU'">
+    <StartArguments>--clr-sentry</StartArguments>
+  </PropertyGroup>
+</Project>

ModuleMonitor/ModuleMonitor.sln

@@ -0,0 +1,25 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 15
+VisualStudioVersion = 15.0.28307.136
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "ModuleMonitor", "ModuleMonitor.csproj", "{361C69F5-7885-4931-949A-B91EEAB170E3}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
+		Release|Any CPU = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{361C69F5-7885-4931-949A-B91EEAB170E3}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{361C69F5-7885-4931-949A-B91EEAB170E3}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{361C69F5-7885-4931-949A-B91EEAB170E3}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{361C69F5-7885-4931-949A-B91EEAB170E3}.Release|Any CPU.Build.0 = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {B18C8887-D713-4379-A365-35C9C89A1C36}
+	EndGlobalSection
+EndGlobal

ModuleMonitor/Program.cs

@@ -0,0 +1,352 @@
+/*  Name: ModuleMonitor
+ * 
+ * 
+ * 
+ * 
+ * 
+ * 
+ */
+
+using System;
+using System.Linq;
+using System.Collections.Generic;
+using System.Diagnostics;
+using System.Management;
+using System.Runtime.InteropServices;
+using System.Security.Principal;
+
+namespace CLRSentry
+{
+    class Program
+    {
+        //TODO: Rename projec to ModuleMonitor, and add a --clrssentry option to watch for CLR injection
+        static void Main(string[] args)
+        {
+            if (args.Contains("-h") || args.Contains("--help"))
+            {
+                PrintUsage();
+
+                Environment.Exit(0);
+            }
+
+
+            if (args.Contains("--clr-sentry"))
+            {
+                CLRSentry();
+            }
+            else
+            {
+  
+                MonitorModuleLoads();
+
+            }
+        }
+
+        /// <summary>
+        /// Monitor for module loads using the WMI Event Win32_ModuleLoadTrace.
+        /// </summary>
+        public static void MonitorModuleLoads()
+        {
+            //Monitor without any filters
+            MonitorModuleLoads(new List<string>());
+        }
+
+        /// <summary>
+        /// Struct representing the WMI class Win32_ModuleLoadTrace 
+        /// </summary>
+        [StructLayout(LayoutKind.Sequential)]
+        public struct Win32_ModuleLoadTrace
+        {
+            public sbyte[] SECURITY_DESCRIPTOR;
+            public UInt64 TIME_CREATED;
+            public string FileName;
+            public UInt64 DefaultBase;
+            public UInt64 ImageBase;
+            public UInt32 ImageChecksum;
+            public UInt64 ImageSize;
+            public UInt32 ProcessID;
+            public UInt32 TimeDateSTamp;
+        }
+
+
+        /// <summary>
+        /// Overload of GetNextModuleLoad that does not require filters.
+        /// </summary>
+        /// <returns></returns>
+        public static Win32_ModuleLoadTrace GetNextModuleLoad()
+        {
+            return GetNextModuleLoad(new List<string>());
+        }
+
+
+        /// <summary>
+        /// Get the details of the next module load
+        /// </summary>
+        /// <param name="filters">Filenames to filter for.</param>
+        /// <returns></returns>
+        public static Win32_ModuleLoadTrace GetNextModuleLoad(List<string> filters)
+        {
+            Win32_ModuleLoadTrace trace = new Win32_ModuleLoadTrace();
+
+            //Ideally, we would filter here to reduce the amount of events that we have to consume.
+            //However, we cannot use the WHERE clause because the 
+            var startWatch = new ManagementEventWatcher(new WqlEventQuery("SELECT * FROM Win32_ModuleLoadTrace"));
+
+            ManagementBaseObject e = startWatch.WaitForNextEvent();
+
+            //Instead, we filter here, because it's easy and we're a bit lazy
+            if (filters.Count == 0 ^ filters.Contains(((ManagementBaseObject)e)["FileName"].ToString()))
+            {
+                if (((ManagementBaseObject)e)["SECURITY_DESCRIPTOR"] != null)
+                    trace.SECURITY_DESCRIPTOR = (sbyte[])((ManagementBaseObject)e)["SECURITY_DESCRIPTOR"];
+
+                if (((ManagementBaseObject)e)["TIME_CREATED"] != null)
+                    trace.TIME_CREATED = (UInt64)((ManagementBaseObject)e)["TIME_CREATED"];
+                
+                if (((ManagementBaseObject)e)["FileName"] != null)
+                    trace.FileName = (string)((ManagementBaseObject)e)["FileName"];
+
+                if (((ManagementBaseObject)e)["DefaultBase"] != null)
+                    trace.DefaultBase = (UInt64)((ManagementBaseObject)e)["DefaultBase"];
+
+                if (((ManagementBaseObject)e)["ImageBase"] != null)
+                    trace.ImageBase = (UInt64)((ManagementBaseObject)e)["ImageBase"];
+
+                if (((ManagementBaseObject)e)["ImageChecksum"] != null)
+                trace.ImageChecksum = (UInt32)((ManagementBaseObject)e)["ImageChecksum"];
+
+                if (((ManagementBaseObject)e)["ImageSize"] != null)
+                    trace.ImageSize = (UInt64)((ManagementBaseObject)e)["ImageSize"];
+
+                if (((ManagementBaseObject)e)["ProcessID"] != null)
+                    trace.ProcessID = (UInt32)((ManagementBaseObject)e)["ProcessID"];
+
+                if (((ManagementBaseObject)e)["TimeDateSTamp"] != null)
+                    trace.TimeDateSTamp = (UInt32)((ManagementBaseObject)e)["TimeDateSTamp"];
+
+                return trace;
+            }
+            else
+                return trace;
+        }
+
+        public static void CLRSentry()
+        {
+            //Sentries never sleep.
+            //UCMJ Article 113
+            /* Any sentinel or look-out who is found drunk or sleeping upon his post, 
+             * or leaves it before he is regularly relieved, shall be punished, 
+             * if the offense is committed in time of war, by death or such other punishment as a court-martial may direct, 
+             * by if the offense is committed at any other time, 
+             * by such punishment other than death as court-martial may direct.
+             */
+            while (true)
+            {
+                //Get the module load.
+                Win32_ModuleLoadTrace trace = GetNextModuleLoad();
+
+                //Split the 
+                string[] parts = trace.FileName.Split('\\');
+
+                //Check whether it is a .NET Runtime DLL
+                if (parts[parts.Length - 1].Contains("msco"))
+                {
+                    Process proc = Process.GetProcessById((int) trace.ProcessID);
+
+                    //Check if the file is a .NET Assembly
+                    if (!IsValidAssembly(proc.StartInfo.FileName))
+                    {
+                        //If it is not, then the CLR has been injected.
+                        Console.WriteLine();
+
+                        Console.WriteLine("[!] CLR Injection has been detected!");
+
+                        //Display information from the event
+                        Console.WriteLine("[>] Process {0} has loaded the CLR but is not a .NET Assembly:", trace.ProcessID);
+                        Console.WriteLine("{0,15} Win32_ModuleLoadTrace:", "[!]");
+
+                        DateTime time = new DateTime();
+                        DateTime.TryParse(trace.TIME_CREATED.ToString(), out time);
+                        time.ToLocalTime();
+
+                        //TODO: Time is printing strangley
+                        Console.WriteLine("{0,15} (Event)   TIME_CREATED: {1}", "[+]", time.ToString());
+                        //TODO: Convert to hex
+                        Console.WriteLine("{0,15} (Process) ImageBase: {1}", "[+]", trace.ImageBase);
+                        Console.WriteLine("{0,15} (Process) DefaultBase: {1}", "[+]", trace.DefaultBase);
+                        Console.WriteLine("{0,15} (Module)  FileName: {1}", "[+]", trace.FileName);
+                        Console.WriteLine("{0,15} (Module)  TimeStamp: {1}", "[+]", trace.TimeDateSTamp);
+                        Console.WriteLine("{0,15} (Module)  ImageSize: {1}", "[+]", trace.ImageSize);
+                        Console.WriteLine("{0,15} (Module)  ImageChecksum: {1}", "[+]", trace.ImageChecksum);
+
+                        Console.WriteLine("{0,15} Additional Information:", "[>]");
+
+                        Process process = SafeGetProcessByID(int.Parse(trace.ProcessID.ToString()));
+
+                        if (process != null)
+                        {
+
+                            Console.WriteLine("{0,30} Process Name: {1}", "[+]", process.ProcessName);
+                            Console.WriteLine("{0,30} Process User: {1}", "[+]", GetProcessUser(process));
+                        }
+                    }
+                }
+            }
+        }
+
+        /// <summary>
+        /// Check if the file is a .NET Assembly by cheating and using the Reflection API's PE Parser.
+        /// 
+        /// https://stackoverflow.com/questions/36797939/how-to-test-whether-a-file-is-a-net-assembly-in-c-sharp
+        /// </summary>
+        /// <param name="path">The file to check</param>
+        /// <returns>True if a .NET Assembly, false if not. Hopefully.</returns>
+        public static bool IsValidAssembly(string path)
+        {
+            try
+            {
+                // Attempt to resolve the assembly
+                var assembly = System.Reflection.AssemblyName.GetAssemblyName(path);
+                // Nothing blew up, so it's an assembly
+                return true;
+            }
+            catch (Exception ex)
+            {
+                // Something went wrong, it is not an assembly (specifically a 
+                // BadImageFormatException will be thrown if it could be found
+                // but it was NOT a valid assembly
+                return false;
+            }
+        }
+
+
+        /// <summary>
+        /// Monitor for module loads using the WMI Event Win32_ModuleLoadTrace. Optionally filter by module names.
+        /// </summary>
+        /// <param name="filters">A list of module names to filter for.</param>
+        public static void MonitorModuleLoads(List<string> filters)
+        {
+            Console.WriteLine("Monitoring Win32_ModuleLoadTrace...\n");
+
+            while (true)
+            {
+                Win32_ModuleLoadTrace trace = new Win32_ModuleLoadTrace();
+                Win32_ModuleLoadTrace tracecomp = new Win32_ModuleLoadTrace();
+
+                //Get the details of the next module load
+                trace = GetNextModuleLoad(filters);
+
+                //If the trace is not empty
+                if (!trace.Equals(tracecomp))
+                {
+                    Console.WriteLine();
+
+                    //Display information from the event
+                    Console.WriteLine("[>] Process {0} has loaded a module:", trace.ProcessID);
+                    Console.WriteLine("{0,15} Win32_ModuleLoadTrace:", "[!]");
+
+                    DateTime time = new DateTime();
+                    DateTime.TryParse(trace.TIME_CREATED.ToString(), out time);
+                    time.ToLocalTime();
+
+                    //TODO: Time is printing strangley
+                    Console.WriteLine("{0,15} (Event)   TIME_CREATED: {1}", "[+]", time.ToString());
+                    //TODO: Convert to hex
+                    Console.WriteLine("{0,15} (Process) ImageBase: {1}", "[+]", trace.ImageBase);
+                    Console.WriteLine("{0,15} (Process) DefaultBase: {1}", "[+]", trace.DefaultBase);
+                    Console.WriteLine("{0,15} (Module)  FileName: {1}", "[+]", trace.FileName);
+                    Console.WriteLine("{0,15} (Module)  TimeStamp: {1}", "[+]", trace.TimeDateSTamp);
+                    Console.WriteLine("{0,15} (Module)  ImageSize: {1}", "[+]", trace.ImageSize);
+                    Console.WriteLine("{0,15} (Module)  ImageChecksum: {1}", "[+]", trace.ImageChecksum);
+
+                    Console.WriteLine("{0,15} Additional Information:", "[>]");
+
+                    Process process = SafeGetProcessByID(int.Parse(trace.ProcessID.ToString()));
+
+                    if (process != null)
+                    {
+
+                        Console.WriteLine("{0,30} Process Name: {1}", "[+]", process.ProcessName);
+                        Console.WriteLine("{0,30} Process User: {1}", "[+]", GetProcessUser(process));
+                    }
+                }
+            }
+        }
+
+        [DllImport("advapi32.dll", SetLastError = true)]
+        private static extern bool OpenProcessToken(IntPtr ProcessHandle, uint DesiredAccess, out IntPtr TokenHandle);
+        [DllImport("kernel32.dll", SetLastError = true)]
+        [return: MarshalAs(UnmanagedType.Bool)]
+        private static extern bool CloseHandle(IntPtr hObject);
+
+        /// <summary>
+        /// Gets the owner of a process.
+        /// 
+        /// https://stackoverflow.com/questions/777548/how-do-i-determine-the-owner-of-a-process-in-c
+        /// </summary>
+        /// <param name="process">The process to inspect.</param>
+        /// <returns>The name of the user, or null if it could not be read.</returns>
+        public static string GetProcessUser(Process process)
+        {
+            IntPtr processHandle = IntPtr.Zero;
+            try
+            {
+                OpenProcessToken(process.Handle, 8, out processHandle);
+                WindowsIdentity wi = new WindowsIdentity(processHandle);
+                return wi.Name;
+            }
+            catch (Exception ex)
+            {
+                return ex.Message;
+            }
+            finally
+            {
+                if (processHandle != IntPtr.Zero)
+                {
+                    CloseHandle(processHandle);
+                }
+            }
+        }//end method
+
+
+        /// <summary>
+        /// Try to get the process by ID and return null if it no longer exists.
+        /// </summary>
+        /// <param name="id"></param>
+        /// <returns></returns>
+        private static Process SafeGetProcessByID(int id)
+        {
+            try
+            {
+                return Process.GetProcessById(id);
+
+            }
+            catch
+            {
+                return null;
+            }
+        }
+
+        private static void PrintUsage()
+        {
+            Console.WriteLine();
+            Console.WriteLine("| Module Monitor [v0.1]");
+            Console.WriteLine("| Copyright (c) 2019 TheWover");
+            Console.WriteLine();
+
+            Console.WriteLine("Usage: ModuleMonitor.exe [--clr-sentry]");
+            Console.WriteLine();
+
+            Console.WriteLine("{0,-5} {1,-20} {2}", "", "-h, --help", "Display this help menu.");
+            Console.WriteLine("{0,-5} {1,-20} {2}", "", "--clr-sentry", "Monitor for CLR injection.");
+            Console.WriteLine();
+
+            Console.WriteLine("Examples:");
+            Console.WriteLine();
+
+            Console.WriteLine("ModuleMonitor.exe");
+            Console.WriteLine("ModuleMonitor.exe --clr-monitor");
+            Console.WriteLine();
+        }
+    }//end class
+}//end namespace

ModuleMonitor/Properties/AssemblyInfo.cs

@@ -0,0 +1,36 @@
+using System.Reflection;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
+
+// General Information about an assembly is controlled through the following
+// set of attributes. Change these attribute values to modify the information
+// associated with an assembly.
+[assembly: AssemblyTitle("ModuleMonitor")]
+[assembly: AssemblyDescription("")]
+[assembly: AssemblyConfiguration("")]
+[assembly: AssemblyCompany("")]
+[assembly: AssemblyProduct("ModuleMonitor")]
+[assembly: AssemblyCopyright("Copyright ©  2019")]
+[assembly: AssemblyTrademark("")]
+[assembly: AssemblyCulture("")]
+
+// Setting ComVisible to false makes the types in this assembly not visible
+// to COM components.  If you need to access a type in this assembly from
+// COM, set the ComVisible attribute to true on that type.
+[assembly: ComVisible(false)]
+
+// The following GUID is for the ID of the typelib if this project is exposed to COM
+[assembly: Guid("361c69f5-7885-4931-949a-b91eeab170e3")]
+
+// Version information for an assembly consists of the following four values:
+//
+//      Major Version
+//      Minor Version
+//      Build Number
+//      Revision
+//
+// You can specify all the values or you can default the Build and Revision Numbers
+// by using the '*' as shown below:
+// [assembly: AssemblyVersion("1.0.*")]
+[assembly: AssemblyVersion("1.0.0.0")]
+[assembly: AssemblyFileVersion("1.0.0.0")]

ModuleMonitor/README.md

@@ -0,0 +1,26 @@
+# ModuleMonitor
+
+Has its own repo at: https://github.com/TheWover/ModuleMonitor
+
+Uses WMI Event Win32_ModuleLoadTrace to monitor module loading. Provides filters, and detailed data. Has an option to monitor for CLR Injection attacks.
+
+The CLR Sentry option follows some simple logic: If a process loads the CLR, but the program is not a .NET program, then the CLR has been injected into it.
+
+While useful, there are both false positives and false negatives:
+
+* False Postiive: There are (few) legitimate uses of the Unmanaged CLR Hosting API. If there weren't, then Microsoft wouldn't have made it. CLR Sentry will notice every unmanaged program that loads the CLR.  
+* False Negatives: This will NOT notice injection of .NET code into processes that already have the CLR loaded. So, no use of the Reflection API and not when donut is used to inject shellcode into managed processes.
+
+Please Note: This is intended only as a Proof-of-Concept to demonstrate the anomalous behavior produced by CLR injection and how it may be detected. It should not be used in any way in a production environment. You perform the same logic with the ``` Image Load ``` event for Sysmon or ETW. They would be easier to scale and integrate with enterprise tooling.
+
+![Alt text](https://github.com/TheWover/donut/blob/master/ModuleMonitor/img/detected.png?raw=true "CLR Sentry detection")      
+
+# Usage
+
+```
+| Module Monitor [v0.1]
+| Copyright (c) 2019 TheWover
+
+Usage: ModuleMonitor.exe [--clr-sentry]
+
+```

ModuleMonitor/app.config

@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<configuration>
+<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2"/></startup></configuration>

ModuleMonitor/app.manifest

@@ -0,0 +1,76 @@
+<?xml version="1.0" encoding="utf-8"?>
+<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1">
+  <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
+  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
+    <security>
+      <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
+        <!-- UAC Manifest Options
+             If you want to change the Windows User Account Control level replace the 
+             requestedExecutionLevel node with one of the following.
+
+        <requestedExecutionLevel  level="asInvoker" uiAccess="false" />
+        <requestedExecutionLevel  level="requireAdministrator" uiAccess="false" />
+        <requestedExecutionLevel  level="highestAvailable" uiAccess="false" />
+
+            Specifying requestedExecutionLevel element will disable file and registry virtualization. 
+            Remove this element if your application requires this virtualization for backwards
+            compatibility.
+        -->
+        <requestedExecutionLevel  level="requireAdministrator" uiAccess="false" />
+      </requestedPrivileges>
+    </security>
+  </trustInfo>
+
+  <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
+    <application>
+      <!-- A list of the Windows versions that this application has been tested on
+           and is designed to work with. Uncomment the appropriate elements
+           and Windows will automatically select the most compatible environment. -->
+
+      <!-- Windows Vista -->
+      <!--<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" />-->
+
+      <!-- Windows 7 -->
+      <!--<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" />-->
+
+      <!-- Windows 8 -->
+      <!--<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}" />-->
+
+      <!-- Windows 8.1 -->
+      <!--<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}" />-->
+
+      <!-- Windows 10 -->
+      <!--<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}" />-->
+
+    </application>
+  </compatibility>
+
+  <!-- Indicates that the application is DPI-aware and will not be automatically scaled by Windows at higher
+       DPIs. Windows Presentation Foundation (WPF) applications are automatically DPI-aware and do not need 
+       to opt in. Windows Forms applications targeting .NET Framework 4.6 that opt into this setting, should 
+       also set the 'EnableWindowsFormsHighDpiAutoResizing' setting to 'true' in their app.config. -->
+  <!--
+  <application xmlns="urn:schemas-microsoft-com:asm.v3">
+    <windowsSettings>
+      <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
+    </windowsSettings>
+  </application>
+  -->
+
+  <!-- Enable themes for Windows common controls and dialogs (Windows XP and later) -->
+  <!--
+  <dependency>
+    <dependentAssembly>
+      <assemblyIdentity
+          type="win32"
+          name="Microsoft.Windows.Common-Controls"
+          version="6.0.0.0"
+          processorArchitecture="*"
+          publicKeyToken="6595b64144ccf1df"
+          language="*"
+        />
+    </dependentAssembly>
+  </dependency>
+  -->
+
+</assembly>

ModuleMonitor/bin/Debug/ModuleMonitor.exe.config

@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<configuration>
+<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2"/></startup></configuration>

ModuleMonitor/bin/Release/ModuleMonitor.exe.config

@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<configuration>
+<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2"/></startup></configuration>

ModuleMonitor/obj/Debug/ModuleMonitor.csproj.CoreCompileInputs.cache

@@ -0,0 +1 @@
+660beec7e9eb7255f76ff95e28b2924ee2d1af08

ModuleMonitor/obj/Debug/ModuleMonitor.csproj.FileListAbsolute.txt

@@ -0,0 +1,14 @@
+C:\Users\Shawn\source\repos\ModuleMonitor\bin\Debug\ModuleMonitor.exe
+C:\Users\Shawn\source\repos\ModuleMonitor\bin\Debug\ModuleMonitor.pdb
+C:\Users\Shawn\source\repos\ModuleMonitor\obj\Debug\ModuleMonitor.csproj.CoreCompileInputs.cache
+C:\Users\Shawn\source\repos\ModuleMonitor\obj\Debug\ModuleMonitor.exe
+C:\Users\Shawn\source\repos\ModuleMonitor\obj\Debug\ModuleMonitor.pdb
+C:\Users\Shawn\source\repos\ModuleMonitor\bin\Debug\ModuleMonitor.exe.config
+C:\Users\Shawn\source\repos\ModuleMonitor\obj\Debug\ModuleMonitor.csprojAssemblyReference.cache
+C:\Users\Shawn\Documents\GitHub\ModuleMonitor\bin\Debug\ModuleMonitor.exe.config
+C:\Users\Shawn\Documents\GitHub\ModuleMonitor\bin\Debug\ModuleMonitor.exe
+C:\Users\Shawn\Documents\GitHub\ModuleMonitor\bin\Debug\ModuleMonitor.pdb
+C:\Users\Shawn\Documents\GitHub\ModuleMonitor\obj\Debug\ModuleMonitor.csprojAssemblyReference.cache
+C:\Users\Shawn\Documents\GitHub\ModuleMonitor\obj\Debug\ModuleMonitor.csproj.CoreCompileInputs.cache
+C:\Users\Shawn\Documents\GitHub\ModuleMonitor\obj\Debug\ModuleMonitor.exe
+C:\Users\Shawn\Documents\GitHub\ModuleMonitor\obj\Debug\ModuleMonitor.pdb

ModuleMonitor/obj/Release/ModuleMonitor.csproj.CoreCompileInputs.cache

@@ -0,0 +1 @@
+660beec7e9eb7255f76ff95e28b2924ee2d1af08