-
Notifications
You must be signed in to change notification settings - Fork 631
Compatible Encoders
This page documents what shellcode encoders/packers work and DON'T work with Donut shellcode. Donut has issues with many encoding/obfuscation schemes because most of the shellcode is actually data. Encoding it breaks things if it isn't decoded early because encrypted data can't be decrypted if its form is modified. There are mostly two strategies for shellcode encoding.
- Encoding the shellcode as you would any other binary data. You could do this with any encoding schema (base64, alphanumeric, etc.). Then, build a shellcode loader decodes Donut and executes it. This is worse for AV evasion because the decoder is probably signaturable. But it is helpful if you need to fit your shellcode into an execution or allocation vector that is format-constrained.
- Convert the shellcode into logically equivalent machine code with a different format. An example is movfuscator, which takes advantage of the fact that the x86 mov instruction is Turing-complete (u wot m8t?) to compile C code to machine code that only contains mov instructions.
Option 2 tends not to work for Donut because of the data embedded inside its shellcode. 1 is the more effective strategy because it doesn't change the format of the Donut shellcode (after it is decoded).
Why would you want to encode Donut shellcode? Mostly because Donut is not null-free. Certain execution vectors require their payload to be null-free. Additionally, you may want to encode/obfuscate to change it's signature for AV evasion. Donut has some entropy by default (because the payload is encrypted with a random key), but the loader is not entropic. This it can be signatured.
- alpha_mixed, x86 and x64.
- shikata_ga_nai, x86 and x64
- xor_dynamic. Doesn't crash, but doesn't work.
- zutto_dekiru
- Fucking everything else gadammit