donut

package
v0.0.0-...-d947cf4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 15, 2020 License: BSD-3-Clause Imports: 13 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// CipherBlockLen - Chaskey Block Length
	CipherBlockLen = uint32(128 / 8)
	// CipherKeyLen - Chaskey Key Length
	CipherKeyLen = uint32(128 / 8)
)
View Source 
const (
	// entropy level
	DONUT_ENTROPY_NONE    = 1 // don't use any entropy
	DONUT_ENTROPY_RANDOM  = 2 // use random names
	DONUT_ENTROPY_DEFAULT = 3 // use random names + symmetric encryption

	DONUT_MAX_PARAM   = 8 // maximum number of parameters passed to method
	DONUT_MAX_NAME    = 256
	DONUT_MAX_DLL     = 8 // maximum number of DLL supported by instance
	DONUT_MAX_URL     = 256
	DONUT_MAX_MODNAME = 8
	DONUT_SIG_LEN     = 8 // 64-bit string to verify decryption ok
	DONUT_VER_LEN     = 32
	DONUT_DOMAIN_LEN  = 8

	MARU_MAX_STR  = 64
	MARU_BLK_LEN  = 16
	MARU_HASH_LEN = 8
	MARU_IV_LEN   = 8

	DONUT_RUNTIME_NET4 = "v4.0.30319"

	NTDLL_DLL    = "ntdll.dll"
	KERNEL32_DLL = "kernel32.dll"
	SHELL32_DLL  = "shell32.dll"
	ADVAPI32_DLL = "advapi32.dll"
	CRYPT32_DLL  = "crypt32.dll"
	MSCOREE_DLL  = "mscoree.dll"
	OLE32_DLL    = "ole32.dll"
	OLEAUT32_DLL = "oleaut32.dll"
	WININET_DLL  = "wininet.dll"
	COMBASE_DLL  = "combase.dll"
	USER32_DLL   = "user32.dll"
	SHLWAPI_DLL  = "shlwapi.dll"
)
View Source 
const (
	DONUT_MODULE_NET_DLL ModuleType = 1 // .NET DLL. Requires class and method
	DONUT_MODULE_NET_EXE            = 2 // .NET EXE. Executes Main if no class and method provided
	DONUT_MODULE_DLL                = 3 // Unmanaged DLL, function is optional
	DONUT_MODULE_EXE                = 4 // Unmanaged EXE
	DONUT_MODULE_VBS                = 5 // VBScript
	DONUT_MODULE_JS                 = 6 // JavaScript or JScript
	DONUT_MODULE_XSL                = 7 // XSL with JavaScript/JScript or VBscript embedded
)

Variables

View Source 
var LOADER_EXE_X64 = []byte{}/* 10548 elements not displayed */

LOADER_EXE_X64 - stub for EXE PE files

View Source 
var LOADER_EXE_X86 = []byte{}/* 9549 elements not displayed */

LOADER_EXE_X86 - stub for EXE PE files

Functions

func BytesToUint32s 

func BytesToUint32s(inbytes []byte) []uint32

BytesToUint32s - converts a Byte array to an array of uint32s

func Chaskey 

func Chaskey(masterKey []byte, data []byte) []byte

Chaskey Encryption Function

func CreateInstance 

func CreateInstance(config *DonutConfig) (*bytes.Buffer, error)

CreateInstance - Creates the Donut Instance from Config

func CreateModule 

func CreateModule(config *DonutConfig, inputFile *bytes.Buffer) error

CreateModule - Creates the Donut Module from Config

func DetectDotNet 

func DetectDotNet(filename string) (bool, string)

DetectDotNet - returns true if a .NET assembly. 2nd return value is detected version string.

func DownloadFile 

func DownloadFile(url string) (*bytes.Buffer, error)

DownloadFile will download an URL to a byte buffer

func Encrypt 

func Encrypt(mk []byte, ctr []byte, data []byte) []byte

Encrypt - encrypt/decrypt data in counter mode

func GenerateRandomBytes 

func GenerateRandomBytes(count int) ([]byte, error)

GenerateRandomBytes : Generates as many random bytes as you ask for, returns them as []byte

func Maru 

func Maru(input []byte, iv uint64) uint64

Maru hash

func ROTR32 

func ROTR32(v uint32, n uint32) uint32

ROTR32 - rotates a byte right (same as (32 - n) left)

func RandomString 

func RandomString(len int) string

RandomString - generates random string of given length

func Sandwich 

func Sandwich(arch DonutArch, payload *bytes.Buffer) (*bytes.Buffer, error)

Sandwich - adds the donut prefix in the beginning (stomps DOS header), then payload, then donut stub at the end

func ShellcodeFromBytes 

func ShellcodeFromBytes(buf *bytes.Buffer, config *DonutConfig) (*bytes.Buffer, error)

ShellcodeFromBytes - Passed a PE as byte array, makes shellcode

func ShellcodeFromFile 

func ShellcodeFromFile(filename string, config *DonutConfig) (*bytes.Buffer, error)

ShellcodeFromFile - Loads PE from file, makes shellcode

func ShellcodeFromURL 

func ShellcodeFromURL(fileURL string, config *DonutConfig) (*bytes.Buffer, error)

ShellcodeFromURL - Downloads a PE from URL, makes shellcode

func Speck 

func Speck(mk []byte, p uint64) uint64

Speck 64/128

func WriteField 

func WriteField(w *bytes.Buffer, name string, i interface{})

Types

type API_IMPORT 

type API_IMPORT struct {
	Module string
	Name   string
}

type DonutArch 

type DonutArch int

DonutArch - CPU architecture type (32, 64, or 32+64) 

const (
	// X32 - 32bit
	X32 DonutArch = iota
	// X64 - 64 bit
	X64
	// X84 - 32+64 bit
	X84
)

type DonutConfig 

type DonutConfig struct {
	Arch       DonutArch
	Type       ModuleType
	InstType   InstanceType
	Parameters string // separated by , or ;

	Entropy uint32

	// new in 0.9.3
	Thread   uint32
	Compress uint32
	Unicode  uint32
	OEP      uint64
	ExitOpt  uint32
	Format   uint32

	Domain  string // .NET stuff
	Class   string
	Method  string // Used by Native DLL and .NET DLL
	Runtime string
	Bypass  int

	Module     *DonutModule
	ModuleName string
	URL        string
	ModuleMac  uint64
	ModuleData *bytes.Buffer

	Verbose bool // Enable/Disable verbose output
	// contains filtered or unexported fields
}

func DefaultConfig 

func DefaultConfig() *DonutConfig

DefaultConfig - returns a default donut config for x32+64, EXE, native binary

type DonutInstance 

type DonutInstance struct {
	Len uint32 // total size of instance

	//Key  DonutCrypt // decrypts instance (32 bytes total = 16+16)
	KeyMk  [CipherKeyLen]byte   // master key
	KeyCtr [CipherBlockLen]byte // counter + nonce

	Iv   uint64     // the 64-bit initial value for maru hash
	Hash [64]uint64 // holds up to 64 api hashes/addrs {api}

	ExitOpt uint32 // call RtlExitUserProcess to terminate the host process
	Entropy uint32 // indicates entropt option
	OEP     uint64 // original entrypoint

	// everything from here is encrypted
	ApiCount uint32               // the 64-bit hashes of API required for instance to work
	DllNames [DONUT_MAX_NAME]byte // a list of DLL strings to load, separated by semi-colon

	Dataname   [8]byte  // ".data"
	Kernelbase [12]byte // "kernelbase"
	Amsi       [8]byte  // "amsi"
	Clr        [4]byte  // clr
	Wldp       [8]byte  // wldp

	CmdSyms [DONUT_MAX_NAME]byte // symbols related to command line
	ExitApi [DONUT_MAX_NAME]byte // exit-related API

	Bypass         uint32   // indicates behaviour of byassing AMSI/WLDP
	WldpQuery      [32]byte // WldpQueryDynamicCodeTrust
	WldpIsApproved [32]byte // WldpIsClassInApprovedList
	AmsiInit       [16]byte // AmsiInitialize
	AmsiScanBuf    [16]byte // AmsiScanBuffer
	AmsiScanStr    [16]byte // AmsiScanString

	Wscript     [8]byte  // WScript
	Wscript_exe [12]byte // wscript.exe

	XIID_IUnknown  uuid.UUID
	XIID_IDispatch uuid.UUID

	//  GUID required to load .NET assemblies
	XCLSID_CLRMetaHost    uuid.UUID
	XIID_ICLRMetaHost     uuid.UUID
	XIID_ICLRRuntimeInfo  uuid.UUID
	XCLSID_CorRuntimeHost uuid.UUID
	XIID_ICorRuntimeHost  uuid.UUID
	XIID_AppDomain        uuid.UUID

	//  GUID required to run VBS and JS files
	XCLSID_ScriptLanguage        uuid.UUID // vbs or js
	XIID_IHost                   uuid.UUID // wscript object
	XIID_IActiveScript           uuid.UUID // engine
	XIID_IActiveScriptSite       uuid.UUID // implementation
	XIID_IActiveScriptSiteWindow uuid.UUID // basic GUI stuff
	XIID_IActiveScriptParse32    uuid.UUID // parser
	XIID_IActiveScriptParse64    uuid.UUID

	Type uint32 // DONUT_INSTANCE_PIC or DONUT_INSTANCE_URL

	Url [DONUT_MAX_URL]byte // staging server hosting donut module
	Req [8]byte             // just a buffer for "GET"

	Sig [DONUT_MAX_NAME]byte // string to hash
	Mac uint64               // to verify decryption ok

	ModKeyMk  [CipherKeyLen]byte   // master key
	ModKeyCtr [CipherBlockLen]byte // counter + nonce

	Mod_len uint64 // total size of module
}

func (*DonutInstance) WriteTo 

func (inst *DonutInstance) WriteTo(w *bytes.Buffer)

type DonutModule 

type DonutModule struct {
	ModType  uint32 // EXE, DLL, JS, VBS, XSL
	Thread   uint32 // run entrypoint of unmanaged EXE as a thread
	Compress uint32 // indicates engine used for compression

	Runtime [DONUT_MAX_NAME]byte // runtime version for .NET EXE/DLL (donut max name = 256)
	Domain  [DONUT_MAX_NAME]byte // domain name to use for .NET EXE/DLL
	Cls     [DONUT_MAX_NAME]byte // name of class and optional namespace for .NET EXE/DLL
	Method  [DONUT_MAX_NAME]byte // name of method to invoke for .NET DLL or api for unmanaged DLL
	Param   [DONUT_MAX_NAME]byte // string parameters for DLL/EXE (donut max parm = 8)

	Unicode uint32              // convert command line to unicode for unmanaged DLL function
	Sig     [DONUT_SIG_LEN]byte // random string to verify decryption
	Mac     uint64              // to verify decryption was ok
	Zlen    uint32              // compressed size of EXE/DLL/JS/VBS file
	Len     uint32              // size of EXE/DLL/XSL/JS/VBS file
	Data    [4]byte             // data of EXE/DLL/XSL/JS/VBS file
}

func (*DonutModule) WriteTo 

func (mod *DonutModule) WriteTo(w *bytes.Buffer)

type InstanceType 

type InstanceType int
const (
	DONUT_INSTANCE_PIC InstanceType = 1 // Self-contained
	DONUT_INSTANCE_URL              = 2 // Download from remote server
)

type ModuleType 

type ModuleType int

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.