Comments (6)
Maybe we would event want to hook LoadLibrary in the PE module so that it performs this logic too when dynamically loading modules?
from donut.
An option to manually map those dependencies may also be nice. Definitely not something everyone would want, but would ensure you get 0 new modload events as a result of loading a PE. The manual mapping logic already exists in Donut.
Using Module Overloading / phantom DLL hollowing would take that a step further. Though at that point you do get modload events, just for decoy files rather than what you are actually loading. If we did this, the decoy module should be chosen from the list of already loaded modules. So that it looks like LoadLibrary was called on existing modules and doesn't generate any modload events for anomalous modules that the host process has never loaded before.
from donut.
Keep in mind that if you never call LoadLibrary the reference count of the module will not be incremented and if FreeLibrary happens to get called on it.
from donut.
Could just hook FreeLibrary to prevent it from unloading your modules. Point it to a list somewhere in memory that holds the list of modules it's not allowed to load.
from donut.
@TheWover a simpler solution is just to query the module list everytime you are thinking about doing a load and if the module is already loaded call LdrAddRefDll
. You could also potentially manually increment LDR_DATA_TABLE_ENTRY->ReferenceCount
which should prevent FreeLibrary
from unloading the DLL, however, the loader adds references to the LDR_DDAG
(dependency graph) so I'm not sure if this would be 100% stable.
from donut.
Update: The original idea has been implemented in dev
for v1.0. I may implement Dewera's comment and use LdrAddRefDLL. This is a note to myself to try this out before v1.0 release.
from donut.
Related Issues (20)
- Not working with CobaltStrike payloads HOT 2
- Support for executables without relocation data HOT 2
- How does work on 32bit
- Huffman in version 1.0
- A generator written in pure Go, supporting Donut v1.0
- Add support for resources HOT 1
- TLS handling referencing the wrong headers
- shellcode gen with error?
- capturing stdout of a donut HOT 1
- Running donut only brings up help menu HOT 4
- Suggestion on encoding the loader HOT 1
- [Feature] - ARM64 support HOT 1
- Rsp adjustment breaks shellcode return HOT 1
- Files with SEH support HOT 2
- Shellcode terminates main thread HOT 1
- Module overloading does not work
- Does donut supports injecting into processes with Dynamic Code Prohibited enabled
- No execution with Akagi64 (UACME) HOT 1
- New Detections on AMSI Patch and Headers
- Problem executing Golang binaries HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from donut.