Packages and Binaries:
donut
Donut is a position-independent code that enables in-memory execution of VBScript, JScript, EXE, DLL files and dotNET assemblies. A module created by Donut can either be staged from a HTTP server or embedded directly in the loader itself. The module is optionally encrypted using the Chaskey block cipher and a 128-bit randomly generated key. After the file is loaded and executed in memory, the original reference is erased to deter memory scanners. The generator and loader support the following features: - Compression of input files with aPLib and LZNT1, Xpress, Xpress Huffman via RtlCompressBuffer. - Using entropy for API hashes and generation of strings. - 128-bit symmetric encryption of files. - Patching Antimalware Scan Interface (AMSI) and Windows Lockdown Policy (WLDP). - Patching command line for EXE files. - Patching exit-related API to avoid termination of host process. - Multiple output formats: C, Ruby, Python, PowerShell, Base64, C#, Hexadecimal.
Installed size: 85 KB
How to install: sudo apt install donut
Dependencies:
- libc6
donut
root@kali:~# donut -h
[ Donut shellcode generator v1 (built Mar 10 2025 15:50:28)
[ Copyright (c) 2019-2021 TheWover, Odzhan
usage: donut [options] <EXE/DLL/VBS/JS>
Only the finest artisanal donuts are made of shells.
-MODULE OPTIONS-
-n,--modname: <name> Module name for HTTP staging. If entropy is enabled, this is generated randomly.
-s,--server: <server> Server that will host the Donut module. Credentials may be provided in the following format: https://username:[email protected]/
-e,--entropy: <level> Entropy. 1=None, 2=Use random names, 3=Random names + symmetric encryption (default)
-PIC/SHELLCODE OPTIONS-
-a,--arch: <arch>,--cpu: <arch> Target architecture : 1=x86, 2=amd64, 3=x86+amd64(default).
-o,--output: <path> Output file to save loader. Default is "loader.bin"
-f,--format: <format> Output format. 1=Binary (default), 2=Base64, 3=C, 4=Ruby, 5=Python, 6=Powershell, 7=C#, 8=Hex
-y,--fork: <offset> Create a new thread for the loader and continue execution at <offset> relative to the host process's executable.
-x,--exit: <action> Exit behaviour. 1=Exit thread (default), 2=Exit process, 3=Do not exit or cleanup and block indefinitely
-FILE OPTIONS-
-c,--class: <namespace.class> Optional class name. (required for .NET DLL)
-d,--domain: <name> AppDomain name to create for .NET assembly. If entropy is enabled, this is generated randomly.
-i,--input: <path>,--file: <path> Input file to execute in-memory.
-m,--method: <method>,--function: <api> Optional method or function for DLL. (a method is required for .NET DLL)
-p,--args: <arguments> Optional parameters/command line inside quotations for DLL method/function or EXE.
-w,--unicode Command line is passed to unmanaged DLL function in UNICODE format. (default is ANSI)
-r,--runtime: <version> CLR runtime version. MetaHeader used by default or v4.0.30319 if none available.
-t,--thread Execute the entrypoint of an unmanaged EXE as a thread.
-EXTRA-
-z,--compress: <engine> Pack/Compress file. 1=None
-b,--bypass: <level> Bypass AMSI/WLDP/ETW : 1=None, 2=Abort on fail, 3=Continue on fail.(default)
-k,--headers: <level> Preserve PE headers. 1=Overwrite (default), 2=Keep all
-j,--decoy: <level> Optional path of decoy module for Module Overloading.
examples:
donut -ic2.dll
donut --arch:x86 --class:TestClass --method:RunProcess --args:notepad.exe --input:loader.dll
donut -iloader.dll -c TestClass -m RunProcess -p"calc notepad" -s http://remote_server.com/modules/
python-donut-doc
Donut is a position-independent code that enables in-memory execution of VBScript, JScript, EXE, DLL files and dotNET assemblies. A module created by Donut can either be staged from a HTTP server or embedded directly in the loader itself. The module is optionally encrypted using the Chaskey block cipher and a 128-bit randomly generated key. After the file is loaded and executed in memory, the original reference is erased to deter memory scanners. The generator and loader support the following features: - Compression of input files with aPLib and LZNT1, Xpress, Xpress Huffman via RtlCompressBuffer. - Using entropy for API hashes and generation of strings. - 128-bit symmetric encryption of files. - Patching Antimalware Scan Interface (AMSI) and Windows Lockdown Policy (WLDP). - Patching command line for EXE files. - Patching exit-related API to avoid termination of host process. - Multiple output formats: C, Ruby, Python, PowerShell, Base64, C#, Hexadecimal.
This is the common documentation package.
Installed size: 47 KB
How to install: sudo apt install python-donut-doc
python3-donut
Donut is a position-independent code that enables in-memory execution of VBScript, JScript, EXE, DLL files and dotNET assemblies. A module created by Donut can either be staged from a HTTP server or embedded directly in the loader itself. The module is optionally encrypted using the Chaskey block cipher and a 128-bit randomly generated key. After the file is loaded and executed in memory, the original reference is erased to deter memory scanners. The generator and loader support the following features: - Compression of input files with aPLib and LZNT1, Xpress, Xpress Huffman via RtlCompressBuffer. - Using entropy for API hashes and generation of strings. - 128-bit symmetric encryption of files. - Patching Antimalware Scan Interface (AMSI) and Windows Lockdown Policy (WLDP). - Patching command line for EXE files. - Patching exit-related API to avoid termination of host process. - Multiple output formats: C, Ruby, Python, PowerShell, Base64, C#, Hexadecimal.
This package installs the Python 3 module.
Installed size: 93 KB
How to install: sudo apt install python3-donut
Dependencies:
- libc6
- python3
Updated on: 2025-May-20