qwqdanchun
/
donut
mirror of https://github.com/qwqdanchun/donut.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

initial attempt to address PR #83

This commit is contained in:
TheWover 2022-12-08 16:25:54 -05:00
parent 027031af95
commit bb10660375
6 changed files with 13 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/devnotes.md
View File

@ -60,7 +60,7 @@
<span style='color:#800000; font-weight:bold; '>int</span> format<span style='color:#800080; '>;</span> <span style='color:#696969; '>// output format for loader</span>
<span style='color:#800000; font-weight:bold; '>int</span> exit_opt<span style='color:#800080; '>;</span> <span style='color:#696969; '>// return to caller or invoke RtlExitUserProcess to terminate the host process</span>
<span style='color:#800000; font-weight:bold; '>int</span> thread<span style='color:#800080; '>;</span> <span style='color:#696969; '>// run entrypoint of unmanaged EXE as a thread. attempts to intercept calls to exit-related API</span>
uint64_t oep<span style='color:#800080; '>;</span> <span style='color:#696969; '>// original entrypoint of target host file</span>
uint32_t oep<span style='color:#800080; '>;</span> <span style='color:#696969; '>// original entrypoint of target host file</span>
<span style='color:#696969; '>// files in/out</span>
<span style='color:#800000; font-weight:bold; '>char</span> input<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of input file to read and load in-memory</span>

4
donut.c
View File

@ -2220,7 +2220,7 @@ int main(int argc, char *argv[]) {
get_opt(argc, argv, OPT_TYPE_FLAG, &c.thread, "t", "thread", NULL);
get_opt(argc, argv, OPT_TYPE_FLAG, &c.unicode, "w", "unicode", NULL);
get_opt(argc, argv, OPT_TYPE_DEC, &c.exit_opt,"x", "exit", validate_exit);
get_opt(argc, argv, OPT_TYPE_HEX64, &c.oep, "y", "oep;fork", NULL);
get_opt(argc, argv, OPT_TYPE_HEX, &c.oep, "y", "oep;fork", NULL);
get_opt(argc, argv, OPT_TYPE_DEC, &c.compress,"z", "compress", NULL);
// no file? show usage and exit
@ -2313,7 +2313,7 @@ int main(int argc, char *argv[]) {
printf(" [ Shellcode : \"%s\"\n", c.output);
if(c.oep != 0) {
printf(" [ OEP : 0x%"PRIX64"\n", c.oep);
printf(" [ OEP : 0x%"PRIX32"\n", c.oep);
}
// if decoy supplied, display the path

2
donutmodule.c
View File

@ -170,7 +170,7 @@ static PyObject *Donut_Create(PyObject *self, PyObject *args, PyObject *keywds)
}
// fork a new thread and execute address of original entry point
if(oep != NULL) {
c.oep = strtoull(oep, NULL, 16);
c.oep = strtoul(oep, NULL, 16);
}
// pack/compress input file
if(compress != 0) {

4
include/donut.h
View File

@ -366,7 +366,7 @@ typedef struct _DONUT_INSTANCE {
int exit_opt; // 1 to call RtlExitUserProcess and terminate the host process, 2 to never exit or cleanup and block
int entropy; // indicates entropy level
uint64_t oep; // original entrypoint
uint32_t oep; // original entrypoint
// everything from here is encrypted
int api_cnt; // the 64-bit hashes of API required for instance to work
@ -448,7 +448,7 @@ typedef struct _DONUT_CONFIG {
int format; // output format for loader
int exit_opt; // return to caller, invoke RtlExitUserProcess to terminate the host process, or block indefinitely
int thread; // run entrypoint of unmanaged EXE as a thread. attempts to intercept calls to exit-related API
uint64_t oep; // original entrypoint of target host file
uint32_t oep; // original entrypoint of target host file
// files in/out
char input[DONUT_MAX_NAME]; // name of input file to read and load in-memory

2
lib/donut.h
View File

@ -145,7 +145,7 @@ typedef struct _DONUT_CONFIG {
int format; // output format for loader
int exit_opt; // return to caller or invoke RtlExitUserProcess to terminate the host process
int thread; // run entrypoint of unmanaged EXE as a thread. attempts to intercept calls to exit-related API
uint64_t oep; // original entrypoint of target host file
uint32_t oep; // original entrypoint of target host file
// files in/out
char input[DONUT_MAX_NAME]; // name of input file to read and load in-memory

8
loader/loader.c
View File

@ -41,6 +41,7 @@ HANDLE DonutLoader(PDONUT_INSTANCE inst) {
ULONG64 hash;
HANDLE h = NULL;
CONTEXT c;
LPVOID host;
DPRINT("sizeof(DONUT_INSTANCE) : %zu\n", sizeof(DONUT_INSTANCE));
DPRINT("offsetof(DONUT_INSTANCE, api) : %zu\n", offsetof(DONUT_INSTANCE, api));
@ -72,15 +73,18 @@ HANDLE DonutLoader(PDONUT_INSTANCE inst) {
DPRINT("Resolving address of GetCurrentThread");
hash = inst->api.hash[ (offsetof(DONUT_INSTANCE, api.GetCurrentThread) - offsetof(DONUT_INSTANCE, api)) / sizeof(ULONG_PTR)];
_GetCurrentThread = (GetCurrentThread_t)xGetProcAddressByHash(inst, hash, inst->iv);
// get the base address of the host process's executable
host = inst->api.GetModuleHandle(NULL);
if(_NtContinue != NULL && _GetThreadContext != NULL && _GetCurrentThread != NULL) {
c.ContextFlags = CONTEXT_FULL;
_GetThreadContext(_GetCurrentThread(), &c);
#ifdef _WIN64
c.Rip = inst->oep;
c.Rip = RVA2VA(DWORD64, host, inst->oep);
c.Rsp &= -16;
#else
c.Eip = inst->oep;
c.Eip = RVA2VA(DWORD64, host, inst->oep);
c.Esp &= -4;
#endif
DPRINT("Calling NtContinue");