Managed vs Unmanaged code
Case of Silenttrinity and Donut project
When creating a shellcode through donut it is important to remember that x64 built instance of the donut project will create x64 bit shellcodes that should run in a x64 processs and vice versa. Program we would like to turn into a shellcode should also be compiled for the desired architecture. This can be achieved by compiling a project with 2019 MSVC compiler from a development command prompt:
1
"C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Auxiliary\Build\vcvars64.bat"
Copied!
Resulted binary can be easily confirmed with sigcheck.exe from Sysinternals:
1
C:\Users\user\Desktop\donut-dev>nmake debug -f Makefile.msvc
2
3
Microsoft (R) Program Maintenance Utility Version 14.23.28106.4
4
Copyright (C) Microsoft Corporation. All rights reserved.
5
6
cl -Zp8 -nologo -DDEBUG -DDONUT_EXE -I include donut.c hash.c encrypt.c payload/clib.c
7
donut.c
8
hash.c
9
encrypt.c
10
clib.c
11
Generating Code...
12
cl -Zp8 -nologo -DDEBUG -DDLL -LD -I include donut.c hash.c encrypt.c payload/clib.c
13
donut.c
14
hash.c
15
encrypt.c
16
clib.c
17
Generating Code...
18
Creating library donut.lib and object donut.exp
19
move donut.lib lib/donut.lib
20
1 file(s) moved.
21
move donut.exp lib/donut.exp
22
1 file(s) moved.
23
move donut.dll lib/donut.dll
24
1 file(s) moved.
25
26
C:\Users\user\Desktop\donut-dev>..\sigcheck.exe donut.exe
27
28
Sigcheck v2.73 - File version and signature viewer
29
Copyright (C) 2004-2019 Mark Russinovich
30
Sysinternals - www.sysinternals.com
31
32
C:\Users\admin\Desktop\donut-dev\donut.exe:
33
Verified: Unsigned
34
Link date: 00:09 14/10/2019
35
Publisher: n/a
36
Company: n/a
37
Description: n/a
38
Product: n/a
39
Prod version: n/a
40
File version: n/a
41
MachineType: 64-bit
Copied!
If needed x86 path is located in
1
C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Auxiliary\Build\vcvars32.bat
Copied!
Copy link