public static int Donut_Create(ref DSConfig config)
{
D.Print("Entering Donut_Create()");
int ret;
DSFileInfo fi = new DSFileInfo
{
ver = new char[Constants.DONUT_VER_LEN]
};
// Parse config and payload
ret = Helper.ParseConfig(ref config, ref fi);
if (ret != Constants.DONUT_ERROR_SUCCESS)
{
return(ret);
}
// Create the module
ret = CreateModule(ref config, ref fi);
if (ret != Constants.DONUT_ERROR_SUCCESS)
{
return(ret);
}
// Create the instance
ret = CreateInstance(ref config);
if (ret != Constants.DONUT_ERROR_SUCCESS)
{
return(ret);
}
return(Constants.DONUT_ERROR_SUCCESS);
}
public static int Donut_Create(ref DSConfig config, string outfile)
{
D.Print("Entering Donut_Create()");
int ret;
DSFileInfo fi = new DSFileInfo
{
ver = new char[Constants.DONUT_VER_LEN]
};
// Parse config and payload
ret = Helper.ParseConfig(ref config, ref fi);
if (ret != Constants.DONUT_ERROR_SUCCESS)
{
return(ret);
}
// Create the module
ret = CreateModule(ref config, ref fi);
if (ret != Constants.DONUT_ERROR_SUCCESS)
{
return(ret);
}
// Create the instance
ret = CreateInstance(ref config);
if (ret != Constants.DONUT_ERROR_SUCCESS)
{
return(ret);
}
// Generates output
ret = GenerateOutput(ref config, outfile);
if (ret != Constants.DONUT_ERROR_SUCCESS)
{
return(ret);
}
// Compiles loader
//ret = CompileLoader();
//if (ret != Constants.DONUT_ERROR_SUCCESS)
//{
// return ret;
//}
return(Constants.DONUT_ERROR_SUCCESS);
}
public static int ParseConfig(ref DSConfig config, ref DSFileInfo fi)
{
D.Print("Entering ParseConfig()");
string file = new string(config.file).Replace("\0", "");
// Checks if file exists
if (File.Exists(file) == false)
{
return(Constants.DONUT_ERROR_INVALID_PARAMETER);
}
// Validate URL
if (config.inst_type == Constants.DONUT_INSTANCE_URL)
{
// Make sure it's a validate URL (check this don't know exactly how it's checking)
D.Print("Validating URL");
if (Uri.IsWellFormedUriString(String(config.url), UriKind.Absolute) == false)
{
return(Constants.DONUT_ERROR_INVALID_URL);
}
// If URL doesn't have trailing slash, add one
//if (config.url(config.url.Length - 1) != "/")
//{
// config.url += "/";
//}
}
// Validate Arch
D.Print("Checking for Arch Mismatch");
if (config.arch != Constants.DONUT_ARCH_ANY &&
config.arch != Constants.DONUT_ARCH_X86 &&
config.arch != Constants.DONUT_ARCH_X84 &&
config.arch != Constants.DONUT_ARCH_X64)
{
return(Constants.DONUT_ERROR_INVALID_ARCH);
}
// Validate AMSI/WDLP Bypass Option
D.Print("Validating Bypass Option");
if (config.bypass != Constants.DONUT_BYPASS_SKIP &&
config.bypass != Constants.DONUT_BYPASS_ABORT &&
config.bypass != Constants.DONUT_BYPASS_CONTINUE)
{
return(Constants.DONUT_ERROR_BYPASS_INVALID);
}
// Get File Info
var ret = ParseInputFile(file, ref fi);
if (ret != Constants.DONUT_ERROR_SUCCESS)
{
return(ret);
}
// Set Module Type
config.mod_type = fi.type;
if (config.mod_type == Constants.DONUT_MODULE_DLL || config.mod_type == Constants.DONUT_MODULE_EXE)
{
// Check for Arch mismatch
if ((config.arch == Constants.DONUT_ARCH_X86 && fi.arch == Constants.DONUT_ARCH_X64) ||
(config.arch == Constants.DONUT_ARCH_X64 && fi.arch == Constants.DONUT_ARCH_X86))
{
return(Constants.DONUT_ERROR_ARCH_MISMATCH);
}
// Check existence of DLL function specified
if (config.mod_type == Constants.DONUT_MODULE_DLL && config.method != null)
{
try
{
var exported = new PeNet.PeFile(file).ExportedFunctions;
bool found = false;
foreach (var func in exported)
{
if (func.Name == String(config.method))
{
found = true;
}
}
if (found == false)
{
return(Constants.DONUT_ERROR_DLL_FUNCTION);
}
}
catch
{
return(Constants.DONUT_ERROR_DLL_FUNCTION);
}
}
// If unmanaged DLL with params, need function
if (config.mod_type == Constants.DONUT_MODULE_DLL && config.param != null)
{
if (config.method == null)
{
return(Constants.DONUT_ERROR_DLL_PARAM);
}
}
}
// If .NET DLL make sure Method and Class provided
if (config.mod_type == Constants.DONUT_MODULE_NET_DLL)
{
if (config.cls == null || config.method == null)
{
return(Constants.DONUT_ERROR_NET_PARAMS);
}
}
return(Constants.DONUT_ERROR_SUCCESS);
}
public static int ParseInputFile(string file, ref DSFileInfo fi)
{
D.Print("Entering ParseInputFile()");
PeNet.PeFile PE;
var extension = Path.GetExtension(file);
D.Print($"File extension is: {extension}");
// If supplied file is a directory
if (extension == null)
{
return(Constants.DONUT_ERROR_FILE_INVALID);
}
// Parse extension
if (extension == ".vbs")
{
fi.type = Constants.DONUT_MODULE_VBS;
fi.arch = Constants.DONUT_ARCH_ANY;
}
else if (extension == ".js")
{
fi.type = Constants.DONUT_MODULE_JS;
fi.arch = Constants.DONUT_ARCH_ANY;
}
else if (extension == ".xsl")
{
fi.type = Constants.DONUT_MODULE_XSL;
fi.arch = Constants.DONUT_ARCH_ANY;
}
else if (extension == ".exe")
{
fi.type = Constants.DONUT_MODULE_EXE;
fi.arch = Constants.DONUT_ARCH_ANY;
}
else if (extension == ".dll")
{
fi.type = Constants.DONUT_MODULE_DLL;
fi.arch = Constants.DONUT_ARCH_ANY;
}
else
{
return(Constants.DONUT_ERROR_FILE_INVALID);
}
// Do PE parsing for .dll and .exe
if (fi.type == Constants.DONUT_MODULE_DLL || fi.type == Constants.DONUT_MODULE_EXE)
{
D.Print("Parsing PE file");
try
{
PE = new PeNet.PeFile(file);
if (PE.ImageDosHeader == null)
{
return(Constants.DONUT_ERROR_FILE_INVALID);
}
if (PE.ImageNtHeaders == null)
{
return(Constants.DONUT_ERROR_FILE_INVALID);
}
}
catch
{
return(Constants.DONUT_ERROR_FILE_INVALID);
}
// Check and Reset Arch
if (PE.Is32Bit == true)
{
fi.arch = Constants.DONUT_ARCH_X86;
}
else
{
fi.arch = Constants.DONUT_ARCH_X64;
}
// Check .NET and Reset Type
if (PE.HasValidComDescriptor == true)
{
D.Print("COM Descriptor found, .NET selected");
if (PE.IsDLL == true)
{
fi.type = Constants.DONUT_MODULE_NET_DLL;
}
else
{
fi.type = Constants.DONUT_MODULE_NET_EXE;
}
Copy(fi.ver, PE.MetaDataHdr.Version);
D.Print($"Runtime found in Metadata Header: {String(fi.ver)}");
}
else if (PE.ImageRelocationDirectory.Length == 0)
{
//Think this should be ok?
return(Constants.DONUT_ERROR_NORELOC);
}
}
return(Constants.DONUT_ERROR_SUCCESS);
}
public static int CreateModule(ref DSConfig config, ref DSFileInfo fi)
{
string[] param;
Console.WriteLine("\nPayload options:");
D.Print("Entering CreateModule()");
// Init Module struct
DSModule mod = new Helper().InitStruct("DSModule");
mod.type = fi.type;
// DotNet Assembly
if (mod.type == Constants.DONUT_MODULE_NET_DLL || mod.type == Constants.DONUT_MODULE_NET_EXE)
{
// If no AppDomain, generate one
if (config.domain[0] == 0)
{
Helper.Copy(config.domain, Helper.RandomString(8));
}
Console.WriteLine($"\tDomain:\t{Helper.String(config.domain)}");
Helper.Unicode(mod.domain, Helper.String(config.domain));
if (mod.type == Constants.DONUT_MODULE_NET_DLL)
{
Console.WriteLine($"\tClass:\t{Helper.String(config.cls)}");
Helper.Unicode(mod.cls, Helper.String(config.cls));
Console.WriteLine($"\tMethod:\t{Helper.String(config.method)}");
Helper.Unicode(mod.method, Helper.String(config.method));
}
// If no runtime specified, use the version from assembly
if (config.runtime[0] == 0)
{
config.runtime = fi.ver;
}
Console.WriteLine($"\tRuntime:{Helper.String(config.runtime)}");
Helper.Unicode(mod.runtime, Helper.String(config.runtime));
}
// Unmanaged DLL?
if (mod.type == Constants.DONUT_MODULE_DLL)
{
if (config.method[0] == 0)
{
// Set method DllMain if no method specified
Helper.Copy(mod.method, "DllMain");
}
else
{
Helper.Copy(mod.method, Helper.String(config.method));
}
}
if (config.param != null)
{
// Assign params
param = Helper.String(config.param).Split(new char[] { ',', ';' });
for (int cnt = 0; cnt < param.Length; cnt++)
{
Helper.Unicode(mod.p[cnt].param, param[cnt]);
mod.param_cnt++;
}
// If no params, assign cnt = 0
if (param[0] == "")
{
mod.param_cnt = 0;
}
}
// Assign Module Length
mod.len = Convert.ToUInt32(new FileInfo(Helper.String(config.file)).Length);
// Update Module and Length in Config
config.mod = mod;
config.mod_len = Convert.ToUInt32(Marshal.SizeOf(typeof(DSModule))) + mod.len;
D.Print($"Total Module Size: {config.mod_len}");
return(Constants.DONUT_ERROR_SUCCESS);
}
public static int CreateModule(ref DSConfig config, ref DSFileInfo fi)
{
D.Print("Entering CreateModule()");
string[] param;
// Inititialize Module struct
DSModule mod = new DSModule
{
type = fi.type,
runtime = new byte[512],
cls = new byte[512],
method = new byte[512],
domain = new byte[512],
sig = new char[256]
};
// DotNet Assembly
if (mod.type == Constants.DONUT_MODULE_NET_DLL || mod.type == Constants.DONUT_MODULE_NET_EXE)
{
// If no AppDomain, generate one
if (config.domain[0] == 0)
{
Helper.Copy(config.domain, Helper.RandomString(8));
}
Console.WriteLine($"\t[+] Domain:\t{Helper.String(config.domain)}");
Helper.Unicode(mod.domain, Helper.String(config.domain));
if (mod.type == Constants.DONUT_MODULE_NET_DLL)
{
Console.WriteLine($"\t[+] Class:\t{Helper.String(config.cls)}");
Helper.Unicode(mod.cls, Helper.String(config.cls));
Console.WriteLine($"\t[+] Method:\t{Helper.String(config.method)}");
Helper.Unicode(mod.method, Helper.String(config.method));
}
// If no runtime specified, use the version from assembly
if (config.runtime[0] == 0)
{
config.runtime = fi.ver;
}
Console.WriteLine($"\t[+] Runtime:\t{Helper.String(config.runtime)}");
Helper.Unicode(mod.runtime, Helper.String(config.runtime));
}
// Unmanaged DLL?
if (mod.type == Constants.DONUT_MODULE_DLL)
{
if (config.method[0] == 0)
{
// Set method DllMain
Helper.Copy(mod.method, "DllMain");
}
else
{
Helper.Copy(mod.method, Helper.String(config.method));
}
}
if (config.param != null)
{
// Initialize Param struct
mod.p = new P[Constants.DONUT_MAX_PARAM + 1];
for (int i = 0; i < mod.p.Length; i++)
{
mod.p[i] = new P
{
param = new byte[Constants.DONUT_MAX_NAME * 2]
};
}
// Assign params
param = Helper.String(config.param).Split(new char[] { ',', ';' });
for (int cnt = 0; cnt < param.Length; cnt++)
{
Helper.Unicode(mod.p[cnt].param, param[cnt]);
mod.param_cnt++;
}
// If no params, assign cnt = 0
if (param[0] == "")
{
mod.param_cnt = 0;
}
}
// Assign mod length
mod.len = Convert.ToUInt32(new FileInfo(Helper.String(config.file)).Length);
// Update mod and len
config.mod = mod;
config.mod_len = Convert.ToUInt32(Marshal.SizeOf(typeof(DSModule))) + mod.len;
D.Print($"Total Module Size: {config.mod_len}");
return(Constants.DONUT_ERROR_SUCCESS);
}
