Cant use PEzor as "donut -i" doesnt exist
dobin opened this issue · comments
When trying to use PEzor on a exe, it gives an error on calling donut:
od: /tmp/tmp.a9kqst7yVg/shellcode.bin.donut: No such file or directory
On https://github.com/phra/PEzor/blob/master/PEzor.sh#L340 because the parameter "-i" doesnt exist at all for donut.
# bash PEzor.sh -unhook -antidebug -text -self Seatbelt-a.exe -z 2
PEzor!! v3.1.2
---------------------------------------------------------------------------
Read the blog posts here:
https://iwantmore.pizza/posts/PEzor.html
https://iwantmore.pizza/posts/PEzor2.html
https://iwantmore.pizza/posts/PEzor3.html
https://iwantmore.pizza/posts/PEzor4.html
Based on:
https://github.com/TheWover/donut
https://github.com/EgeBalci/sgn
https://github.com/JustasMasiulis/inline_syscall
https://github.com/CylanceVulnResearch/ReflectiveDLLRefresher
---------------------------------------------------------------------------
[?] Unhook enabled
[?] Anti-debug enabled
[?] Payload will be put in .text section
[?] Self-executing payload
[?] Processing Seatbelt-a.exe
[?] PE detected: Seatbelt-a.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
[?] Building executable
[?] Executing donut 1
[ Donut shellcode generator v0.9.3
[ Copyright (c) 2019 TheWover, Odzhan
usage: donut [options] <EXE/DLL/VBS/JS>
Only the finest artisanal donuts are made of shells.
-MODULE OPTIONS-
-n <name> Module name for HTTP staging. If entropy is enabled, this is generated randomly.
-s <server> HTTP server that will host the donut module.
-e <level> Entropy. 1=None, 2=Use random names, 3=Random names + symmetric encryption (default)
-PIC/SHELLCODE OPTIONS-
-a <arch> Target architecture : 1=x86, 2=amd64, 3=x86+amd64(default).
-b <level> Bypass AMSI/WLDP : 1=None, 2=Abort on fail, 3=Continue on fail.(default)
-o <path> Output file to save loader. Default is "loader.bin"
-f <format> Output format. 1=Binary (default), 2=Base64, 3=C, 4=Ruby, 5=Python, 6=Powershell, 7=C#, 8=Hex
-y <addr> Create thread for loader and continue execution at <addr> supplied.
-x <action> Exiting. 1=Exit thread (default), 2=Exit process
-FILE OPTIONS-
-c <namespace.class> Optional class name. (required for .NET DLL)
-d <name> AppDomain name to create for .NET assembly. If entropy is enabled, this is generated randomly.
-m <method | api> Optional method or function for DLL. (a method is required for .NET DLL)
-p <arguments> Optional parameters/command line inside quotations for DLL method/function or EXE.
-w Command line is passed to unmanaged DLL function in UNICODE format. (default is ANSI)
-r <version> CLR runtime version. MetaHeader used by default or v4.0.30319 if none available.
-t Execute the entrypoint of an unmanaged EXE as a thread.
-z <engine> Pack/Compress file. 1=None, 2=aPLib
examples:
donut c2.dll
donut -a1 -cTestClass -mRunProcess -pnotepad.exe loader.dll
donut loader.dll -c TestClass -m RunProcess -p"calc notepad" -s http://remote_server.com/modules/
od: /tmp/tmp.a9kqst7yVg/shellcode.bin.donut: No such file or directory
[!] Done! Check Seatbelt-a.exe.packed.exe: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
A exe is generated, but it too small and doesnt print anything when being executed.
Probably "-i" was removed from donut. Just remove all "-i" from donut calls.
no, the -i parameter was added to donut in this branch: https://github.com/TheWover/donut/tree/dev
the install script was updated to use a specific commit of donut, that requires the -i parameter.