Comments (15)
I'm not sure if this is the same issue, but I am able to reproduce the GCC vs MinGW issue. In my case, the shellcode created with MinGW/Windows donut.exe works but the shellcode created with GCC/Linux donut fails.
Generated via:
donut -a 2 -e 1 -s http://localhost:8080 my.dll
Build versions:
$ gcc --version
gcc (Ubuntu 7.4.0-1ubuntu1~18.04.1) 7.4.0
$ x86_64-w64-mingw32-gcc --version
x86_64-w64-mingw32-gcc (GCC) 7.3-win32 20180312
And here's the output to dumpcfg for both versions:
PS > .\tools\dumpcfg.exe .\loader.bin.mingw
Length : 3664
Key : 00000000000000000000000000000000
CTR : 00000000000000000000000000000000
Maru IV : 0
Exit Opt : 1
OEP : 0000000000000000
API Count : 52
00 => 8322A3F655D252A0 is the hash for kernel32.dll!LoadLibraryA : OK
01 => 5F9A2F5A70159AF7 is the hash for kernel32.dll!GetProcAddress : OK
02 => ECEC2E0F77C1DF79 is the hash for kernel32.dll!GetModuleHandleA : OK
03 => 52622E8E2A03836A is the hash for kernel32.dll!VirtualAlloc : OK
04 => A0F99483877BBCC4 is the hash for kernel32.dll!VirtualFree : OK
05 => A6B3DEBBBD52F776 is the hash for kernel32.dll!VirtualQuery : OK
06 => E0206318E83E16F4 is the hash for kernel32.dll!VirtualProtect : OK
07 => 29407C7E01077DEF is the hash for kernel32.dll!Sleep : OK
08 => B2D46685A8D6CC8F is the hash for kernel32.dll!MultiByteToWideChar : OK
09 => 3D28AFB2AD9197E5 is the hash for kernel32.dll!GetUserDefaultLCID : OK
10 => C45F651AAFFB410B is the hash for kernel32.dll!WaitForSingleObject : OK
11 => A88D8A63D7D17933 is the hash for kernel32.dll!CreateThread : OK
12 => EDBBC13672C19CE4 is the hash for kernel32.dll!GetThreadContext : OK
13 => 6A2447B1BECC189C is the hash for kernel32.dll!GetCurrentThread : OK
14 => E6E2D0AA08292200 is the hash for kernel32.dll!GetCommandLineA : OK
15 => 1C7CF9F57FA86E3D is the hash for kernel32.dll!GetCommandLineW : OK
16 => F3848EC570838A21 is the hash for shell32.dll!CommandLineToArgvW : OK
17 => DFBD47E13EE13B10 is the hash for oleaut32.dll!SafeArrayCreate : OK
18 => BD77AF2569689C8A is the hash for oleaut32.dll!SafeArrayCreateVector : OK
19 => 8AD71499A1140B4D is the hash for oleaut32.dll!SafeArrayPutElement : OK
20 => 2082D640CCFD441B is the hash for oleaut32.dll!SafeArrayDestroy : OK
21 => 7046B02E03CE7D0C is the hash for oleaut32.dll!SafeArrayGetLBound : OK
22 => C1EB0C113A5660BA is the hash for oleaut32.dll!SafeArrayGetUBound : OK
23 => F3AC45C203C14CE0 is the hash for oleaut32.dll!SysAllocString : OK
24 => 733CE6F644E27222 is the hash for oleaut32.dll!SysFreeString : OK
25 => 3E3F0153FB195BEB is the hash for oleaut32.dll!LoadTypeLib : OK
26 => 908B117CC2EF66F9 is the hash for wininet.dll!InternetCrackUrlA : OK
27 => A146D290F7863A30 is the hash for wininet.dll!InternetOpenA : OK
28 => 57777DD39940F617 is the hash for wininet.dll!InternetConnectA : OK
29 => 9395C00826DDF250 is the hash for wininet.dll!InternetSetOptionA : OK
30 => D388820170E23FB1 is the hash for wininet.dll!InternetReadFile : OK
31 => 6A0E5F83356BF090 is the hash for wininet.dll!InternetCloseHandle : OK
32 => F66DD0723A6E8482 is the hash for wininet.dll!HttpOpenRequestA : OK
33 => 0B43C51621CD164B is the hash for wininet.dll!HttpSendRequestA : OK
34 => B872B6B717BFF247 is the hash for wininet.dll!HttpQueryInfoA : OK
35 => 957235ACDB519818 is the hash for mscoree.dll!CorBindToRuntime : OK
36 => 60111C8D1049452E is the hash for mscoree.dll!CLRCreateInstance : OK
37 => 121D46593E41D827 is the hash for ole32.dll!CoInitializeEx : OK
39 => E9A80D05EE05D859 is the hash for ole32.dll!CoUninitialize : OK
40 => 453737D2E7D0F769 is the hash for ntdll.dll!RtlEqualUnicodeString : OK
41 => 439713CC2F516036 is the hash for ntdll.dll!RtlEqualString : OK
42 => C7B512E9E2D2F84F is the hash for ntdll.dll!RtlUnicodeStringToAnsiString : OK
43 => 2992DE171F478173 is the hash for ntdll.dll!RtlInitUnicodeString : OK
44 => 8C914E01296AFCA9 is the hash for ntdll.dll!RtlExitUserThread : OK
45 => B2038712DAAC1A44 is the hash for ntdll.dll!RtlExitUserProcess : OK
46 => 8EDF30B20BC8A076 is the hash for ntdll.dll!RtlCreateUnicodeString : OK
47 => 5FD236D633BA0134 is the hash for ntdll.dll!RtlGetCompressionWorkSpaceSize : OK
48 => 0CF4EFF0BA940F2B is the hash for ntdll.dll!RtlDecompressBuffer : OK
49 => B0C67F05012616EC is the hash for ntdll.dll!NtContinue : OK
50 => 2B187C9F4F529D96 is the hash for kernel32.dll!AddVectoredExceptionHandler : OK
51 => 0989367F9B2F00CE is the hash for kernel32.dll!RemoveVectoredExceptionHandler : OK
sizeof(DONUT_INSTANCE) : 3664
sizeof(ULONG_PTR) : 8
RtlExitUserProcess index : 45
Hashes match OK
PS > .\tools\dumpcfg.exe .\loader.bin.gcc
Length : 3664
Key : 00000000000000000000000000000000
CTR : 00000000000000000000000000000000
Maru IV : 0
Exit Opt : 1
OEP : 0000000000000000
API Count : 52
00 => 8322A3F655D252A0 is the hash for kernel32.dll!LoadLibraryA : OK
01 => 5F9A2F5A70159AF7 is the hash for kernel32.dll!GetProcAddress : OK
02 => ECEC2E0F77C1DF79 is the hash for kernel32.dll!GetModuleHandleA : OK
03 => 52622E8E2A03836A is the hash for kernel32.dll!VirtualAlloc : OK
04 => A0F99483877BBCC4 is the hash for kernel32.dll!VirtualFree : OK
05 => A6B3DEBBBD52F776 is the hash for kernel32.dll!VirtualQuery : OK
06 => E0206318E83E16F4 is the hash for kernel32.dll!VirtualProtect : OK
07 => 29407C7E01077DEF is the hash for kernel32.dll!Sleep : OK
08 => B2D46685A8D6CC8F is the hash for kernel32.dll!MultiByteToWideChar : OK
09 => 3D28AFB2AD9197E5 is the hash for kernel32.dll!GetUserDefaultLCID : OK
10 => C45F651AAFFB410B is the hash for kernel32.dll!WaitForSingleObject : OK
11 => A88D8A63D7D17933 is the hash for kernel32.dll!CreateThread : OK
12 => EDBBC13672C19CE4 is the hash for kernel32.dll!GetThreadContext : OK
13 => 6A2447B1BECC189C is the hash for kernel32.dll!GetCurrentThread : OK
14 => E6E2D0AA08292200 is the hash for kernel32.dll!GetCommandLineA : OK
15 => 1C7CF9F57FA86E3D is the hash for kernel32.dll!GetCommandLineW : OK
16 => F3848EC570838A21 is the hash for shell32.dll!CommandLineToArgvW : OK
17 => DFBD47E13EE13B10 is the hash for oleaut32.dll!SafeArrayCreate : OK
18 => BD77AF2569689C8A is the hash for oleaut32.dll!SafeArrayCreateVector : OK
19 => 8AD71499A1140B4D is the hash for oleaut32.dll!SafeArrayPutElement : OK
20 => 2082D640CCFD441B is the hash for oleaut32.dll!SafeArrayDestroy : OK
21 => 7046B02E03CE7D0C is the hash for oleaut32.dll!SafeArrayGetLBound : OK
22 => C1EB0C113A5660BA is the hash for oleaut32.dll!SafeArrayGetUBound : OK
23 => F3AC45C203C14CE0 is the hash for oleaut32.dll!SysAllocString : OK
24 => 733CE6F644E27222 is the hash for oleaut32.dll!SysFreeString : OK
25 => 3E3F0153FB195BEB is the hash for oleaut32.dll!LoadTypeLib : OK
26 => 908B117CC2EF66F9 is the hash for wininet.dll!InternetCrackUrlA : OK
27 => A146D290F7863A30 is the hash for wininet.dll!InternetOpenA : OK
28 => 57777DD39940F617 is the hash for wininet.dll!InternetConnectA : OK
29 => 9395C00826DDF250 is the hash for wininet.dll!InternetSetOptionA : OK
30 => D388820170E23FB1 is the hash for wininet.dll!InternetReadFile : OK
31 => 6A0E5F83356BF090 is the hash for wininet.dll!InternetCloseHandle : OK
32 => F66DD0723A6E8482 is the hash for wininet.dll!HttpOpenRequestA : OK
33 => 0B43C51621CD164B is the hash for wininet.dll!HttpSendRequestA : OK
34 => B872B6B717BFF247 is the hash for wininet.dll!HttpQueryInfoA : OK
35 => 957235ACDB519818 is the hash for mscoree.dll!CorBindToRuntime : OK
36 => 60111C8D1049452E is the hash for mscoree.dll!CLRCreateInstance : OK
37 => 121D46593E41D827 is the hash for ole32.dll!CoInitializeEx : OK
38 => 2D5F94E307433D52 is the hash for ole32.dll!CoCreateInstance : OK
39 => E9A80D05EE05D859 is the hash for ole32.dll!CoUninitialize : OK
40 => 453737D2E7D0F769 is the hash for ntdll.dll!RtlEqualUnicodeString : OK
41 => 439713CC2F516036 is the hash for ntdll.dll!RtlEqualString : OK
42 => C7B512E9E2D2F84F is the hash for ntdll.dll!RtlUnicodeStringToAnsiString : OK
43 => 2992DE171F478173 is the hash for ntdll.dll!RtlInitUnicodeString : OK
44 => 8C914E01296AFCA9 is the hash for ntdll.dll!RtlExitUserThread : OK
45 => B2038712DAAC1A44 is the hash for ntdll.dll!RtlExitUserProcess : OK
46 => 8EDF30B20BC8A076 is the hash for ntdll.dll!RtlCreateUnicodeString : OK
47 => 5FD236D633BA0134 is the hash for ntdll.dll!RtlGetCompressionWorkSpaceSize : OK
48 => 0CF4EFF0BA940F2B is the hash for ntdll.dll!RtlDecompressBuffer : OK
49 => B0C67F05012616EC is the hash for ntdll.dll!NtContinue : OK
50 => 2B187C9F4F529D96 is the hash for kernel32.dll!AddVectoredExceptionHandler : OK
51 => 0989367F9B2F00CE is the hash for kernel32.dll!RemoveVectoredExceptionHandler : OK
sizeof(DONUT_INSTANCE) : 3664
sizeof(ULONG_PTR) : 8
RtlExitUserProcess index : 45
Hashes match OK
from donut.
Well I had the same issues using the generated shellcode from donut on Linux, if that ever helps.
from donut.
For what it's worth, I'm having a similar problem. Using the dev
branch and the same .NET Assembly (DemoCreateProcess), generating shellcode on Windows works fine while shellcode generated on Linux crashes the host process.
I have a very different version of mingw than @lesnuages , though.
COLLECT_GCC=x86_64-w64-mingw32-gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-w64-mingw32/7.3-win32/lto-wrapper
Target: x86_64-w64-mingw32
Configured with: ../../src/configure --build=x86_64-linux-gnu --prefix=/usr --includedir='/usr/include' --mandir='/usr/share/man' --infodir='/usr/share/info' --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir='/usr/lib/x86_64-linux-gnu' --libexecdir='/usr/lib/x86_64-linux-gnu' --disable-maintainer-mode --disable-dependency-tracking --prefix=/usr --enable-shared --enable-static --disable-multilib --with-system-zlib --libexecdir=/usr/lib --without-included-gettext --libdir=/usr/lib --enable-libstdcxx-time=yes --with-tune=generic --with-headers=/usr/x86_64-w64-mingw32/include --enable-version-specific-runtime-libs --enable-fully-dynamic-string --enable-libgomp --enable-languages=c,c++,fortran,objc,obj-c++,ada --enable-lto --with-plugin-ld --enable-threads=win32 --program-suffix=-win32 --program-prefix=x86_64-w64-mingw32- --target=x86_64-w64-mingw32 --with-as=/usr/bin/x86_64-w64-mingw32-as --with-ld=/usr/bin/x86_64-w64-mingw32-ld --enable-libatomic --enable-libstdcxx-filesystem-ts=yes
Thread model: win32
gcc version 7.3-win32 20180312 (GCC)
from donut.
Thanks for the issue. Will test and see if I can reproduce.
from donut.
For what it's worth, I used the same options and file, then injected loader.bin into notepad. Two instances of calc.exe were created, so I'm not sure what the problem is. EDIT: Did you build from master yourself? Did you use MSVC 2019 for this?
from donut.
I built from master on Linux, using make debug -f Makefile.mingw
.
Here's the version I have
x86_64-w64-mingw32-gcc -v
Using built-in specs.
COLLECT_GCC=x86_64-w64-mingw32-gcc
COLLECT_LTO_WRAPPER=/usr/libexec/gcc/x86_64-w64-mingw32/9.2.1/lto-wrapper
Target: x86_64-w64-mingw32
Configured with: ../configure --prefix=/usr --bindir=/usr/bin --includedir=/usr/include --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --with-gnu-as --with-gnu-ld --verbose --without-newlib --disable-multilib --disable-plugin --with-system-zlib --disable-nls --without-included-gettext --disable-win32-registry --enable-languages=c,c++,objc,obj-c++,fortran --with-bugurl=http://bugzilla.redhat.com/bugzilla --enable-threads=posix --with-cloog --enable-libgomp --target=x86_64-w64-mingw32 --with-sysroot=/usr/x86_64-w64-mingw32/sys-root --with-gxx-include-dir=/usr/x86_64-w64-mingw32/sys-root/mingw/include/c++
Thread model: posix
gcc version 9.2.1 20190827 (Fedora MinGW 9.2.1-1.fc31) (GCC)
from donut.
Any chance you can attach loader.bin generated with DemoCreateProcess.dll ?
from donut.
Sure, here you go:
loader.bin.zip
from donut.
It's some problem related to compiling with MingW that I haven't noticed before. Looking into it.
from donut.
I'm not sure what the problem is at the moment. This is what I have on Debian, installed from packages.
Using built-in specs.
COLLECT_GCC=x86_64-w64-mingw32-gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-w64-mingw32/6.3-win32/lto-wrapper
Target: x86_64-w64-mingw32
Configured with: ../../src/configure --build=x86_64-linux-gnu --prefix=/usr --includedir='/usr/include' --mandir='/usr/share/man' --infodir='/usr/share/info' --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir='/usr/lib/x86_64-linux-gnu' --libexecdir='/usr/lib/x86_64-linux-gnu' --disable-maintainer-mode --disable-dependency-tracking --prefix=/usr --enable-shared --enable-static --disable-multilib --with-system-zlib --libexecdir=/usr/lib --without-included-gettext --libdir=/usr/lib --enable-libstdcxx-time=yes --with-tune=generic --enable-version-specific-runtime-libs --enable-fully-dynamic-string --enable-libgomp --enable-languages=c,c++,fortran,objc,obj-c++ --enable-lto --with-plugin-ld --enable-threads=win32 --program-suffix=-win32 --program-prefix=x86_64-w64-mingw32- --target=x86_64-w64-mingw32 --with-as=/usr/bin/x86_64-w64-mingw32-as --with-ld=/usr/bin/x86_64-w64-mingw32-ld --enable-libatomic
Thread model: win32
gcc version 6.3.0 20170516 (GCC)
It works fine with my version of MingW, so I'm wondering about the build of GCC you both have installed. Was it built from source/repo? When I debugged the loader uploaded by @lesnuages RtlInitUnicodeString was initialized instead of RtlExitUserProcess.
That leads me to think it's related to the size of ULONG_PTR or..the structure is not aligned by 8 bytes even though -fpack-struct=8 is specified.
len is defined as uint32_t at the start of the DONUT_INSTANCE structure in include/donut.h. What happens if you change this to uint64_t and recompile everything? I'll try getting the version you have installed.
from donut.
Try compiling and running this against the loader you generated.
dumpcfg.c.gz
Here's what I get:
c:\donut>dumpcfg loader.bin
Length : 8576
Key : 00000000000000000000000000000000
CTR : 00000000000000000000000000000000
Maru IV : 0
Exit Opt : 1
OEP : 0000000000000000
API Count : 52
00 => 8322A3F655D252A0 is the hash for kernel32.dll!LoadLibraryA : OK
01 => 5F9A2F5A70159AF7 is the hash for kernel32.dll!GetProcAddress : OK
02 => ECEC2E0F77C1DF79 is the hash for kernel32.dll!GetModuleHandleA : OK
03 => 52622E8E2A03836A is the hash for kernel32.dll!VirtualAlloc : OK
04 => A0F99483877BBCC4 is the hash for kernel32.dll!VirtualFree : OK
05 => A6B3DEBBBD52F776 is the hash for kernel32.dll!VirtualQuery : OK
06 => E0206318E83E16F4 is the hash for kernel32.dll!VirtualProtect : OK
07 => 29407C7E01077DEF is the hash for kernel32.dll!Sleep : OK
08 => B2D46685A8D6CC8F is the hash for kernel32.dll!MultiByteToWideChar : OK
09 => 3D28AFB2AD9197E5 is the hash for kernel32.dll!GetUserDefaultLCID : OK
10 => C45F651AAFFB410B is the hash for kernel32.dll!WaitForSingleObject : OK
11 => A88D8A63D7D17933 is the hash for kernel32.dll!CreateThread : OK
12 => EDBBC13672C19CE4 is the hash for kernel32.dll!GetThreadContext : OK
13 => 6A2447B1BECC189C is the hash for kernel32.dll!GetCurrentThread : OK
14 => E6E2D0AA08292200 is the hash for kernel32.dll!GetCommandLineA : OK
15 => 1C7CF9F57FA86E3D is the hash for kernel32.dll!GetCommandLineW : OK
16 => F3848EC570838A21 is the hash for shell32.dll!CommandLineToArgvW : OK
17 => DFBD47E13EE13B10 is the hash for oleaut32.dll!SafeArrayCreate : OK
18 => BD77AF2569689C8A is the hash for oleaut32.dll!SafeArrayCreateVector : OK
19 => 8AD71499A1140B4D is the hash for oleaut32.dll!SafeArrayPutElement : OK
20 => 2082D640CCFD441B is the hash for oleaut32.dll!SafeArrayDestroy : OK
21 => 7046B02E03CE7D0C is the hash for oleaut32.dll!SafeArrayGetLBound : OK
22 => C1EB0C113A5660BA is the hash for oleaut32.dll!SafeArrayGetUBound : OK
23 => F3AC45C203C14CE0 is the hash for oleaut32.dll!SysAllocString : OK
24 => 733CE6F644E27222 is the hash for oleaut32.dll!SysFreeString : OK
25 => 3E3F0153FB195BEB is the hash for oleaut32.dll!LoadTypeLib : OK
26 => 908B117CC2EF66F9 is the hash for wininet.dll!InternetCrackUrlA : OK
27 => A146D290F7863A30 is the hash for wininet.dll!InternetOpenA : OK
28 => 57777DD39940F617 is the hash for wininet.dll!InternetConnectA : OK
29 => 9395C00826DDF250 is the hash for wininet.dll!InternetSetOptionA : OK
30 => D388820170E23FB1 is the hash for wininet.dll!InternetReadFile : OK
31 => 6A0E5F83356BF090 is the hash for wininet.dll!InternetCloseHandle : OK
32 => F66DD0723A6E8482 is the hash for wininet.dll!HttpOpenRequestA : OK
33 => 0B43C51621CD164B is the hash for wininet.dll!HttpSendRequestA : OK
34 => B872B6B717BFF247 is the hash for wininet.dll!HttpQueryInfoA : OK
35 => 957235ACDB519818 is the hash for mscoree.dll!CorBindToRuntime : OK
36 => 60111C8D1049452E is the hash for mscoree.dll!CLRCreateInstance : OK
37 => 121D46593E41D827 is the hash for ole32.dll!CoInitializeEx : OK
38 => 2D5F94E307433D52 is the hash for ole32.dll!CoCreateInstance : OK
39 => E9A80D05EE05D859 is the hash for ole32.dll!CoUninitialize : OK
40 => 453737D2E7D0F769 is the hash for ntdll.dll!RtlEqualUnicodeString : OK
41 => 439713CC2F516036 is the hash for ntdll.dll!RtlEqualString : OK
42 => C7B512E9E2D2F84F is the hash for ntdll.dll!RtlUnicodeStringToAnsiString : OK
43 => 2992DE171F478173 is the hash for ntdll.dll!RtlInitUnicodeString : OK
44 => 8C914E01296AFCA9 is the hash for ntdll.dll!RtlExitUserThread : OK
45 => B2038712DAAC1A44 is the hash for ntdll.dll!RtlExitUserProcess : OK
46 => 8EDF30B20BC8A076 is the hash for ntdll.dll!RtlCreateUnicodeString : OK
47 => 5FD236D633BA0134 is the hash for ntdll.dll!RtlGetCompressionWorkSpaceSize : OK
48 => 0CF4EFF0BA940F2B is the hash for ntdll.dll!RtlDecompressBuffer : OK
49 => B0C67F05012616EC is the hash for ntdll.dll!NtContinue : OK
50 => 2B187C9F4F529D96 is the hash for kernel32.dll!AddVectoredExceptionHandler : OK
51 => 0989367F9B2F00CE is the hash for kernel32.dll!RemoveVectoredExceptionHandler : OK
sizeof(DONUT_INSTANCE) : 3664
sizeof(ULONG_PTR) : 8
RtlExitUserProcess index : 45
Hashes match OK
from donut.
Here's the output of debugging your loader. First API should be VirtualAlloc.
No problem there. Second should be VirtualFree
No problem there either. The third API should be RtlExitUserProcess (B2038712DAAC1A44), but as you can see, the hash for RtlInitUnicodeString (2992de171f478173) is used instead.
I have seen this kind of behavior in the past and it was usually the result of the donut generator and the loader using different structures. They were not in sync. That's what this looks like, but obviously that isn't the case here if you both experience the same problem.
I'll try get my hands on the version of MingW you're using, but right now I've no solution.
from donut.
Thanks for the investigation @odzhan, I'll try to have a look this weekend. I'm compiling from a Fedora 31, gcc installed from the Fedora repos, version is:
gcc --version
gcc (GCC) 9.2.1 20190827 (Red Hat 9.2.1-1)
Copyright (C) 2019 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
MinGW is also installed from the Fedora repos. I'll test the dumpcfg
bin when I get sometime this weekend.
from donut.
Here you go:
PS C:\Users\lab\Desktop> .\dumpcfg.exe .\donut\loader.bin
Length : 8576
Key : 00000000000000000000000000000000
CTR : 00000000000000000000000000000000
Maru IV : 0
Exit Opt : 1
OEP : 0000000000000000
API Count : 52
00 => 8322A3F655D252A0 is the hash for kernel32.dll!LoadLibraryA : OK
01 => 5F9A2F5A70159AF7 is the hash for kernel32.dll!GetProcAddress : OK
02 => ECEC2E0F77C1DF79 is the hash for kernel32.dll!GetModuleHandleA : OK
03 => 52622E8E2A03836A is the hash for kernel32.dll!VirtualAlloc : OK
04 => A0F99483877BBCC4 is the hash for kernel32.dll!VirtualFree : OK
05 => A6B3DEBBBD52F776 is the hash for kernel32.dll!VirtualQuery : OK
06 => E0206318E83E16F4 is the hash for kernel32.dll!VirtualProtect : OK
07 => 29407C7E01077DEF is the hash for kernel32.dll!Sleep : OK
08 => B2D46685A8D6CC8F is the hash for kernel32.dll!MultiByteToWideChar : OK
09 => 3D28AFB2AD9197E5 is the hash for kernel32.dll!GetUserDefaultLCID : OK
10 => C45F651AAFFB410B is the hash for kernel32.dll!WaitForSingleObject : OK
11 => A88D8A63D7D17933 is the hash for kernel32.dll!CreateThread : OK
12 => EDBBC13672C19CE4 is the hash for kernel32.dll!GetThreadContext : OK
13 => 6A2447B1BECC189C is the hash for kernel32.dll!GetCurrentThread : OK
14 => E6E2D0AA08292200 is the hash for kernel32.dll!GetCommandLineA : OK
15 => 1C7CF9F57FA86E3D is the hash for kernel32.dll!GetCommandLineW : OK
16 => F3848EC570838A21 is the hash for shell32.dll!CommandLineToArgvW : OK
17 => DFBD47E13EE13B10 is the hash for oleaut32.dll!SafeArrayCreate : OK
18 => BD77AF2569689C8A is the hash for oleaut32.dll!SafeArrayCreateVector : OK
19 => 8AD71499A1140B4D is the hash for oleaut32.dll!SafeArrayPutElement : OK
20 => 2082D640CCFD441B is the hash for oleaut32.dll!SafeArrayDestroy : OK
21 => 7046B02E03CE7D0C is the hash for oleaut32.dll!SafeArrayGetLBound : OK
22 => C1EB0C113A5660BA is the hash for oleaut32.dll!SafeArrayGetUBound : OK
23 => F3AC45C203C14CE0 is the hash for oleaut32.dll!SysAllocString : OK
24 => 733CE6F644E27222 is the hash for oleaut32.dll!SysFreeString : OK
25 => 3E3F0153FB195BEB is the hash for oleaut32.dll!LoadTypeLib : OK
26 => 908B117CC2EF66F9 is the hash for wininet.dll!InternetCrackUrlA : OK
27 => A146D290F7863A30 is the hash for wininet.dll!InternetOpenA : OK
28 => 57777DD39940F617 is the hash for wininet.dll!InternetConnectA : OK
29 => 9395C00826DDF250 is the hash for wininet.dll!InternetSetOptionA : OK
30 => D388820170E23FB1 is the hash for wininet.dll!InternetReadFile : OK
31 => 6A0E5F83356BF090 is the hash for wininet.dll!InternetCloseHandle : OK
32 => F66DD0723A6E8482 is the hash for wininet.dll!HttpOpenRequestA : OK
33 => 0B43C51621CD164B is the hash for wininet.dll!HttpSendRequestA : OK
34 => B872B6B717BFF247 is the hash for wininet.dll!HttpQueryInfoA : OK
35 => 957235ACDB519818 is the hash for mscoree.dll!CorBindToRuntime : OK
36 => 60111C8D1049452E is the hash for mscoree.dll!CLRCreateInstance : OK
37 => 121D46593E41D827 is the hash for ole32.dll!CoInitializeEx : OK
38 => 2D5F94E307433D52 is the hash for ole32.dll!CoCreateInstance : OK
39 => E9A80D05EE05D859 is the hash for ole32.dll!CoUninitialize : OK
40 => 453737D2E7D0F769 is the hash for ntdll.dll!RtlEqualUnicodeString : OK
41 => 439713CC2F516036 is the hash for ntdll.dll!RtlEqualString : OK
42 => C7B512E9E2D2F84F is the hash for ntdll.dll!RtlUnicodeStringToAnsiString : OK
43 => 2992DE171F478173 is the hash for ntdll.dll!RtlInitUnicodeString : OK
44 => 8C914E01296AFCA9 is the hash for ntdll.dll!RtlExitUserThread : OK
45 => B2038712DAAC1A44 is the hash for ntdll.dll!RtlExitUserProcess : OK
46 => 8EDF30B20BC8A076 is the hash for ntdll.dll!RtlCreateUnicodeString : OK
47 => 5FD236D633BA0134 is the hash for ntdll.dll!RtlGetCompressionWorkSpaceSize : OK
48 => 0CF4EFF0BA940F2B is the hash for ntdll.dll!RtlDecompressBuffer : OK
49 => B0C67F05012616EC is the hash for ntdll.dll!NtContinue : OK
50 => 2B187C9F4F529D96 is the hash for kernel32.dll!AddVectoredExceptionHandler : OK
51 => 0989367F9B2F00CE is the hash for kernel32.dll!RemoveVectoredExceptionHandler : OK
sizeof(DONUT_INSTANCE) : 3664
sizeof(ULONG_PTR) : 8
RtlExitUserProcess index : 45
Hashes match OK
from donut.
I suspect I am facing the same issue. From my naive attempt to debug it, I believe the problem is rooted in wrong offsets used in the generated shellcode. I was stepping through MainProc in x64dbg and noticed that some values (but not all) were not matching configuration.
Few more bits of observation:
- When I compile donut under linux using MinGW I experience problems with offsets.
- If I add
-fPIC -fPIE
intoMakefile.mingw
for lines compilingdonut.exe
, generated shellcode works as expected - If I compile using
gcc
- I experience problems with offsets - when building using gcc,
loader_exe_*.h
are not updated (I guess the only way to update them is to compile loader32/64.exe?) - when building using MinGW with
-fPIE -fPIC
, bothloader_exe_*.h
files changing completely - if I compile donut using gcc after both
loader_exe_*.h
files get updates, I still experience problem with offsets. - if I compile
donut.exe
using MinGW WITHOUT updatedloader_exe_*.h
files, I experience problem with offsets.
NOTE: I added -fPIC -fPIE
only to lines that compile donut.exe, not loaders' executables.
Hopefully, it might give a clue where to look next.... I am out of ideas :)
from donut.
Related Issues (20)
- Generated Shellcode from 0.9.3 does not work on Win7 HOT 1
- donut dll HOT 4
- Crystal binary not working HOT 1
- Fix compilation of test injectors with gcc
- Wrong donut.h in lib / release
- donut binary vmprotect packing not support HOT 1
- Not working with CobaltStrike payloads HOT 2
- Support for executables without relocation data HOT 2
- How does work on 32bit
- Huffman in version 1.0
- A generator written in pure Go, supporting Donut v1.0
- Add support for resources HOT 1
- TLS handling referencing the wrong headers
- shellcode gen with error?
- capturing stdout of a donut HOT 1
- Running donut only brings up help menu HOT 4
- Suggestion on encoding the loader HOT 1
- [Feature] - ARM64 support HOT 1
- Rsp adjustment breaks shellcode return HOT 1
- Files with SEH support HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from donut.