public DonutShellcode(byte[] input, string fileExtension, int bypass = 3, string className = null, string method = null, string args = null, string runtime = null)
{
Input = input;
FileExtension = fileExtension;
var config = new DonutConfig();
config.Arch = global::Constants.DONUT_ARCH_X84;
config.Bypass = bypass;
if (className != null)
{
config.Class = className;
}
if (method != null)
{
config.Method = method;
}
if (args != null)
{
config.Args = args;
}
if (runtime != null)
{
if (runtime != global::Constants.DONUT_RUNTIME_NET2 && runtime != global::Constants.DONUT_RUNTIME_NET4)
{
throw new ArgumentException();
}
}
config.Runtime = runtime;
Config = config;
}
public static byte[] GenerateShellcode(DonutConfig config)
{
var buffer = DonutCreate(config);
DonutDelete(config);
return(buffer);
}
public override string GetLauncher(string StagerCode, byte[] StagerAssembly, Grunt grunt, ImplantTemplate template)
{
this.StagerCode = StagerCode;
string inputf = Common.CovenantTempDirectory + Utilities.GetSanitizedFilename(template.Name + ".exe");
string outputf = Common.CovenantTempDirectory + Utilities.GetSanitizedFilename(template.Name + ".bin");
File.WriteAllBytes(inputf, StagerAssembly);
DonutConfig config = new DonutConfig
{
Arch = 3,
Bypass = 3,
InputFile = inputf,
Class = "GruntStager",
Method = "Execute",
Args = "",
Payload = outputf
};
int ret = Generator.Donut_Create(ref config);
if (ret == Constants.DONUT_ERROR_SUCCESS)
{
this.Base64ILByteString = Convert.ToBase64String(File.ReadAllBytes(outputf));
this.LauncherString = template.Name + ".bin";
}
return(this.LauncherString);
}
// This parses if using nuget package
public static int ParseArguments(ref DonutConfig args, ref DSConfig config)
{
int ret;
// If no input file
if (string.IsNullOrEmpty(args.InputFile) == true)
{
return(Constants.DONUT_ERROR_FILE_NOT_FOUND);
}
// URL not supported yet
if (string.IsNullOrEmpty(args.URL) == false)
{
return(Constants.DONUT_ERROR_INVALID_URL);
}
// Assign values
config.arch = args.Arch;
config.bypass = args.Bypass;
if (string.IsNullOrEmpty(args.Class) == false)
{
Helper.Copy(config.cls, args.Class);
}
if (string.IsNullOrEmpty(args.Domain) == false)
{
Helper.Copy(config.domain, args.Domain);
}
if (string.IsNullOrEmpty(args.Method) == false)
{
Helper.Copy(config.method, args.Method);
}
if (string.IsNullOrEmpty(args.Runtime) == false)
{
Helper.Copy(config.runtime, args.Runtime);
}
if (string.IsNullOrEmpty(args.Payload) == false)
{
Helper.Copy(config.outfile, args.Payload);
}
if (string.IsNullOrEmpty(args.Args) == false)
{
Helper.Copy(config.param, args.Args);
}
if (string.IsNullOrEmpty(args.InputFile) == false)
{
Helper.Copy(config.file, args.InputFile);
}
return(Constants.DONUT_ERROR_SUCCESS);
}
private static void DonutDelete(DonutConfig config)
{
var delErrorCode = (ErrorCode)DonutDelete(ref config);
if (delErrorCode != ErrorCode.SUCCESS)
{
var errorMessage = GetDonutError(delErrorCode);
throw new DonutException($"Donut error: {errorMessage}");
}
}
private static byte[] DonutCreate(DonutConfig config)
{
var createErrorCode = (ErrorCode)DonutCreate(ref config);
if (createErrorCode != ErrorCode.SUCCESS)
{
var errorMessage = GetDonutError(createErrorCode);
throw new DonutException($"Donut error: {errorMessage}");
}
var buffer = new byte[config.pic_len];
Marshal.Copy(config.pic, buffer, 0, config.pic_len);
return(buffer);
}
// Overload to parse nuget package config
// Pass to actual Donut_Create
public static int Donut_Create(ref DonutConfig args)
{
// Create Config
DSConfig config = new Helper().InitStruct("DSConfig");
// Parse provided args
Helper.ParseArguments(ref args, ref config);
int ret = Donut_Create(ref config);
// Free PIC shellcode
Marshal.FreeHGlobal(config.pic);
return(ret);
}
public DonutShellcode(DonutConfig config) => Config = config;
private static extern int DonutDelete(ref DonutConfig donutConfig);
