donut

Donut is a PIC (position-independent code) generator that allows running .NET Assemblies, EXE, DLL, VBScript, JScript files in-memory. It produces shellcode that can be injected into an arbitrary process. Key features include:

• Compression of input files with aPLib and LZNT1, Xpress, Xpress Huffman via RtlCompressBuffer.
• Using entropy for API hashes and generation of strings.
• 128-bit symmetric encryption of files.
• Overwriting native PE headers.
• Storing native PEs in MEM_IMAGE memory.
• Patching Antimalware Scan Interface (AMSI) and Windows Lockdown Policy (WLDP).
• Patching Event Tracing for Windows (ETW).
• Multiple output formats: C, Ruby, Python, PowerShell, Base64, C#, Hexadecimal, and UUID string.

Donut is useful for red teams wanting to execute code in memory, bypassing traditional AV/EDR solutions. It supports HTTP staging and encryption to further evade detection.