Donut is a PIC (position-independent code) generator that allows running .NET Assemblies, EXE, DLL, VBScript, JScript files in-memory. It produces shellcode that can be injected into an arbitrary process. Key features include:
- Compression of input files with aPLib and LZNT1, Xpress, Xpress Huffman via RtlCompressBuffer.
- Using entropy for API hashes and generation of strings.
- 128-bit symmetric encryption of files.
- Overwriting native PE headers.
- Storing native PEs in MEM_IMAGE memory.
- Patching Antimalware Scan Interface (AMSI) and Windows Lockdown Policy (WLDP).
- Patching Event Tracing for Windows (ETW).
- Multiple output formats: C, Ruby, Python, PowerShell, Base64, C#, Hexadecimal, and UUID string.
Donut is useful for red teams wanting to execute code in memory, bypassing traditional AV/EDR solutions. It supports HTTP staging and encryption to further evade detection.
