kylewillmon
diff --git a/Diff for: ‎README.md
+8 b/Diff for: ‎README.md
+8
diff --git a/Diff for: ‎donut.c
+34-2 b/Diff for: ‎donut.c
+34-2
diff --git a/Diff for: ‎donutmodule.c
+17-11 b/Diff for: ‎donutmodule.c
+17-11
diff --git a/Diff for: ‎examples/dynamic.c
+1 b/Diff for: ‎examples/dynamic.c
+1
diff --git a/Diff for: ‎examples/static.c
+1 b/Diff for: ‎examples/static.c
+1
diff --git a/Diff for: ‎include/donut.h
+7 b/Diff for: ‎include/donut.h
+7
diff --git a/Diff for: ‎lib/donut.h
+6 b/Diff for: ‎lib/donut.h
+6
diff --git a/Diff for: ‎loader/inmem_pe.c
+6-3 b/Diff for: ‎loader/inmem_pe.c
+6-3
@@ -50,6 +50,8 @@
 
 <p>The loader can disable AMSI and WLDP to help evade detection of malicious files executed in-memory. For more information, read <a href="https://modexp.wordpress.com/2019/06/03/disable-amsi-wldp-dotnet/">How Red Teams Bypass AMSI and WLDP for .NET Dynamic Code</a>. It also supports decompression of files in memory using aPLib or the RtlDecompressBuffer API. Read <a href="https://modexp.wordpress.com/2019/12/08/shellcode-compression/">Data Compression</a> for more information.</p>
 
+<p>By default, the loader will overwrite the PE headers of unmanaged PEs (from the base address to `IMAGE_OPTIONAL_HEADER.SizeOfHeaders`). If no decoy module is used (module overloading), then the PE headers will be zeroed. If a decoy module is used, the PE headers of the decoy module will be used to overwrite those of the payload module. This is to deter detection by comparing the PE headers of modules in memory with the file backing them on disk. The user may request that all PE headers be preserved in their original state. This is helpful for scenarios when the payload module needs to access its PE headers, such as when looking up embedded PE resources.</p>
+
 <p>For a detailed walkthrough using the generator and how Donut affects tradecraft, read <a href="https://thewover.github.io/Introducing-Donut/">Donut - Injecting .NET Assemblies as Shellcode</a>. For more information about the loader, read <a href="https://modexp.wordpress.com/2019/05/10/dotnet-loader-shellcode/">Loading .NET Assemblies From Memory</a>.</p>
 
 <p>Those who wish to know more about the internals should refer to <a href="https://github.com/TheWover/donut/blob/master/docs/devnotes.md">Developer notes.</a></p>
@@ -148,6 +150,12 @@
     <td><var>level</var></td>
     <td>Behavior for bypassing AMSI/WLDP : 1=None, 2=Abort on fail, 3=Continue on fail.(default)</td>
   </tr>
+
+  <tr>
+    <td><strong>-k</strong></td>
+    <td><var>headers</var></td>
+    <td>Preserve PE headers. 1=Overwrite (default), 2=Keep all</td>
+  </tr>
 
   <tr>
     <td><strong>-c</strong></td>
 
@@ -866,6 +866,8 @@ static int build_instance(PDONUT_CONFIG c) {
     inst->entropy  = c->entropy;
     // set the bypass level
     inst->bypass   = c->bypass;
+    // set the headers level
+    inst->headers  = c->headers;
     // set the module length
     inst->mod_len  = c->mod_len;
 
@@ -1408,6 +1410,13 @@ static int validate_loader_cfg(PDONUT_CONFIG c) {
       DPRINT("Option to bypass AMSI/WDLP %"PRId32" is invalid.", c->bypass);
       return DONUT_ERROR_BYPASS_INVALID;
     }
+
+    if(c->headers != DONUT_HEADERS_OVERWRITE     &&
+       c->headers != DONUT_HEADERS_KEEP)
+    {
+      DPRINT("Option to preserve PE headers (or not) %"PRId32" is invalid.", c->headers);
+      return DONUT_ERROR_HEADERS_INVALID;
+    }
 
     DPRINT("Loader configuration passed validation.");
     return DONUT_ERROR_OK;
@@ -1675,6 +1684,9 @@ const char *DonutError(int err) {
       case DONUT_ERROR_BYPASS_INVALID:
         str = "Invalid bypass option specified.";
         break;
+      case DONUT_ERROR_HEADERS_INVALID:
+        str = "Invalid PE headers preservation option.";
+        break;
       case DONUT_ERROR_NORELOC:
         str = "This file has no relocation information required for in-memory execution.";
         break;
@@ -2075,6 +2087,19 @@ static int validate_bypass(opt_arg *arg, void *args) {
     return 1;
 }
 
+// calback to validate headers options
+static int validate_headers(opt_arg *arg, void *args) {
+    char *str = (char*)args;
+    
+    arg->u32 = 0;
+    if(str == NULL) return 0;
+    
+    // just temporary
+    arg->u32 = atoi(str);
+    
+    return 1;
+}
+
 static void usage (void) {
     printf(" usage: donut [options] <EXE/DLL/VBS/JS>\n\n");
     printf("       Only the finest artisanal donuts are made of shells.\n\n");   
@@ -2107,6 +2132,7 @@ static void usage (void) {
     printf("       -z,--compress: <engine>                 Pack/Compress file. 1=None, 2=aPLib\n");
 #endif
     printf("       -b,--bypass: <level>                    Bypass AMSI/WLDP : 1=None, 2=Abort on fail, 3=Continue on fail.(default)\n\n");
+    printf("       -k,--headers: <level>                   Preserve PE headers. 1=Overwrite (default), 2=Keep all\n\n");
 
     printf(" examples:\n\n");
     printf("    donut -ic2.dll\n");
@@ -2125,7 +2151,7 @@ int main(int argc, char *argv[]) {
 
     printf("\n");
     printf("  [ Donut shellcode generator v0.9.3 (built " __DATE__ " " __TIME__ ")\n");
-    printf("  [ Copyright (c) 2019-2020 TheWover, Odzhan\n\n");
+    printf("  [ Copyright (c) 2019-2021 TheWover, Odzhan\n\n");
 
     // zero initialize configuration
     memset(&c, 0, sizeof(c));
@@ -2134,6 +2160,7 @@ int main(int argc, char *argv[]) {
     c.inst_type = DONUT_INSTANCE_EMBED;   // file is embedded
     c.arch      = DONUT_ARCH_X84;         // dual-mode (x86+amd64)
     c.bypass    = DONUT_BYPASS_CONTINUE;  // continues loading even if disabling AMSI/WLDP fails
+    c.headers   = DONUT_HEADERS_OVERWRITE;// overwrites PE headers
     c.format    = DONUT_FORMAT_BINARY;    // default output format
     c.compress  = DONUT_COMPRESS_NONE;    // compression is disabled by default
     c.entropy   = DONUT_ENTROPY_DEFAULT;  // enable random names + symmetric encryption by default
@@ -2144,6 +2171,7 @@ int main(int argc, char *argv[]) {
     get_opt(argc, argv, OPT_TYPE_NONE,   NULL,       "h;?", "help",            usage);
     get_opt(argc, argv, OPT_TYPE_DEC,    &c.arch,    "a",   "arch",            validate_arch);
     get_opt(argc, argv, OPT_TYPE_DEC,    &c.bypass,  "b",   "bypass",          validate_bypass);
+    get_opt(argc, argv, OPT_TYPE_DEC,    &c.headers, "k",   "headers",         validate_headers);
     get_opt(argc, argv, OPT_TYPE_STRING, c.cls,      "c",   "class",           NULL);
     get_opt(argc, argv, OPT_TYPE_STRING, c.domain,   "d",   "domain",          NULL);
     get_opt(argc, argv, OPT_TYPE_DEC,    &c.entropy, "e",   "entropy",         validate_entropy);
@@ -2242,7 +2270,11 @@ int main(int argc, char *argv[]) {
 
     printf("  [ AMSI/WDLP     : %s\n",
       c.bypass == DONUT_BYPASS_NONE  ? "none" : 
-      c.bypass == DONUT_BYPASS_ABORT ? "abort" : "continue"); 
+      c.bypass == DONUT_BYPASS_ABORT ? "abort" : "continue");
+
+    printf("  [ PE Headers    : %s\n",
+      c.headers == DONUT_HEADERS_OVERWRITE  ? "overwrite" : 
+      c.headers == DONUT_HEADERS_KEEP ? "keep" : "Undefined"); 
 
     printf("  [ Shellcode     : \"%s\"\n", c.output);
     if(c.oep != 0) {
 
@@ -39,6 +39,7 @@ static PyObject *Donut_Create(PyObject *self, PyObject *args, PyObject *keywds)
 
     int arch      = 0;     // target CPU architecture or mode
     int bypass    = 0;     // AMSI/WDLP bypassing behavior
+    int headers   = 0;     // Preserve PE headers behavior
     int compress  = 0;     // compress input file
     int entropy   = 0;     // whether to randomize API hashes and use encryption
     int format    = 0;     // output format
@@ -60,14 +61,14 @@ static PyObject *Donut_Create(PyObject *self, PyObject *args, PyObject *keywds)
     char *modname = NULL;     // name of module stored on HTTP server
 
     static char *kwlist[] = {
-      "file", "arch", "bypass", "compress", "entropy", 
+      "file", "arch", "bypass", "headers", "compress", "entropy", 
       "format", "exit_opt", "thread", "oep", "output", 
       "runtime", "appdomain", "cls", "method", "params", 
       "unicode", "server", "url", "modname", NULL};
 
     if (!PyArg_ParseTupleAndKeywords(
-      args, keywds, "s|iiiiiiisssssssisss", kwlist, &input, &arch, 
-      &bypass, &compress, &entropy, &format, &exit_opt, &thread, 
+      args, keywds, "s|iiiiiiiisssssssisss", kwlist, &input, &arch, 
+      &bypass, &headers, &compress, &entropy, &format, &exit_opt, &thread, 
       &oep, &output, &runtime, &domain, &cls, &method, &params, 
       &unicode, &server, &server, &modname)) 
     {
@@ -80,14 +81,15 @@ static PyObject *Donut_Create(PyObject *self, PyObject *args, PyObject *keywds)
     memset(&c, 0, sizeof(c));
 
     // default settings
-    c.inst_type = DONUT_INSTANCE_EMBED;   // file is embedded
-    c.arch      = DONUT_ARCH_X84;         // dual-mode (x86+amd64)
-    c.bypass    = DONUT_BYPASS_CONTINUE;  // continues loading even if disabling AMSI/WLDP fails
-    c.format    = DONUT_FORMAT_BINARY;    // default output format
-    c.compress  = DONUT_COMPRESS_NONE;    // compression is disabled by default
-    c.entropy   = DONUT_ENTROPY_DEFAULT;  // enable random names + symmetric encryption by default
-    c.exit_opt  = DONUT_OPT_EXIT_THREAD;  // default behaviour is to exit the thread
-    c.unicode   = 0;                      // command line will not be converted to unicode for unmanaged DLL function
+    c.inst_type = DONUT_INSTANCE_EMBED;    // file is embedded
+    c.arch      = DONUT_ARCH_X84;          // dual-mode (x86+amd64)
+    c.bypass    = DONUT_BYPASS_CONTINUE;   // continues loading even if disabling AMSI/WLDP fails
+    c.headers    = DONUT_HEADERS_OVERWRITE;// overwrite PE header
+    c.format    = DONUT_FORMAT_BINARY;     // default output format
+    c.compress  = DONUT_COMPRESS_NONE;     // compression is disabled by default
+    c.entropy   = DONUT_ENTROPY_DEFAULT;   // enable random names + symmetric encryption by default
+    c.exit_opt  = DONUT_OPT_EXIT_THREAD;   // default behaviour is to exit the thread
+    c.unicode   = 0;                       // command line will not be converted to unicode for unmanaged DLL function
 
     // input file
     if(input != NULL) {
@@ -102,6 +104,10 @@ static PyObject *Donut_Create(PyObject *self, PyObject *args, PyObject *keywds)
     if(bypass != 0) {
       c.bypass = bypass;
     }
+    // headers options
+    if(headers != 0) {
+      c.headers = headers;
+    }
     // class of .NET assembly
     if(cls != NULL) {
       strncpy(c.cls, cls, DONUT_MAX_NAME - 1);
 
@@ -61,6 +61,7 @@ int main(int argc, char *argv[]) {
     c.inst_type = DONUT_INSTANCE_EMBED;   // file is embedded
     c.arch      = DONUT_ARCH_X84;         // dual-mode (x86+amd64)
     c.bypass    = DONUT_BYPASS_CONTINUE;  // continues loading even if disabling AMSI/WLDP fails
+    c.headers   = DONUT_HEADERS_OVERWRITE;// overwrite PE headers
     c.format    = DONUT_FORMAT_BINARY;    // default output format
     c.compress  = DONUT_COMPRESS_NONE;    // compression is disabled by default
     c.entropy   = DONUT_ENTROPY_DEFAULT;  // enable random names + symmetric encryption by default
 
@@ -23,6 +23,7 @@ int main(int argc, char *argv[]) {
     c.inst_type = DONUT_INSTANCE_EMBED;   // file is embedded
     c.arch      = DONUT_ARCH_X84;         // dual-mode (x86+amd64)
     c.bypass    = DONUT_BYPASS_CONTINUE;  // continues loading even if disabling AMSI/WLDP fails
+    c.headers   = DONUT_HEADERS_OVERWRITE;// overwrite PE headers
     c.format    = DONUT_FORMAT_BINARY;    // default output format
     c.compress  = DONUT_COMPRESS_NONE;    // compression is disabled by default
     c.entropy   = DONUT_ENTROPY_DEFAULT;  // enable random names + symmetric encryption by default
 
@@ -128,6 +128,7 @@ typedef struct _GUID {
 #define DONUT_ERROR_COMPRESSION         19
 #define DONUT_ERROR_INVALID_ENTROPY     20
 #define DONUT_ERROR_MIXED_ASSEMBLY      21
+#define DONUT_ERROR_HEADERS_INVALID     22
 
 // target architecture
 #define DONUT_ARCH_ANY                  -1  // for vbs and js files
@@ -178,6 +179,10 @@ typedef struct _GUID {
 #define DONUT_BYPASS_ABORT               2  // If bypassing AMSI/WLDP fails, the loader stops running
 #define DONUT_BYPASS_CONTINUE            3  // If bypassing AMSI/WLDP fails, the loader continues running
 
+// Preserve PE headers options
+#define DONUT_HEADERS_OVERWRITE          1  // Overwrite PE headers
+#define DONUT_HEADERS_KEEP               2  // Preserve PE headers
+
 #define DONUT_MAX_NAME                 256  // maximum length of string for domain, class, method and parameter names
 #define DONUT_MAX_DLL                    8  // maximum number of DLL supported by instance
 #define DONUT_MAX_MODNAME                8
@@ -371,6 +376,7 @@ typedef struct _DONUT_INSTANCE {
     char        exit_api[DONUT_MAX_NAME];     // exit-related API
 
     int         bypass;                       // indicates behaviour of byassing AMSI/WLDP/ETW
+    int         headers;                      // indicates whether to overwrite PE headers
     char        wldpQuery[32];                // WldpQueryDynamicCodeTrust
     char        wldpIsApproved[32];           // WldpIsClassInApprovedList
     char        amsiInit[16];                 // AmsiInitialize
@@ -425,6 +431,7 @@ typedef struct _DONUT_CONFIG {
     // general / misc options for loader
     int             arch;                     // target architecture
     int             bypass;                   // bypass option for AMSI/WDLP
+    int             headers;                  // preserve PE headers option
     int             compress;                 // engine to use when compressing file via RtlCompressBuffer
     int             entropy;                  // entropy/encryption level
     int             format;                   // output format for loader
 
@@ -70,6 +70,7 @@
 #define DONUT_ERROR_COMPRESSION         19
 #define DONUT_ERROR_INVALID_ENTROPY     20
 #define DONUT_ERROR_MIXED_ASSEMBLY      21
+#define DONUT_ERROR_HEADERS_INVALID     22
 
 // target architecture
 #define DONUT_ARCH_ANY                  -1  // just for vbs,js and xsl files
@@ -120,6 +121,10 @@
 #define DONUT_BYPASS_ABORT               2  // If bypassing AMSI/WLDP fails, the loader stops running
 #define DONUT_BYPASS_CONTINUE            3  // If bypassing AMSI/WLDP fails, the loader continues running
 
+// Preserve PE headers options
+#define DONUT_HEADERS_OVERWRITE          1  // Overwrite PE headers
+#define DONUT_HEADERS_KEEP               1  // Preserve PE headers
+
 #define DONUT_MAX_NAME                 256  // maximum length of string for domain, class, method and parameter names
 #define DONUT_MAX_DLL                    8  // maximum number of DLL supported by instance
 #define DONUT_MAX_MODNAME                8
@@ -132,6 +137,7 @@ typedef struct _DONUT_CONFIG {
     // general / misc options for loader
     int             arch;                     // target architecture
     int             bypass;                   // bypass option for AMSI/WDLP
+    int             headers;                  // preserve PE headers option
     int             compress;                 // engine to use when compressing file via RtlCompressBuffer
     int             entropy;                  // entropy/encryption level
     int             format;                   // output format for loader
 
@@ -281,9 +281,12 @@ VOID RunPE(PDONUT_INSTANCE inst, PDONUT_MODULE mod) {
 
     Memcpy(shcp, sh, ntc.FileHeader.NumberOfSections * sizeof(IMAGE_SECTION_HEADER));
 
-    DPRINT("Wiping Headers from memory");
-    Memset(cs,   0, nt->OptionalHeader.SizeOfHeaders);
-    Memset(base, 0, nt->OptionalHeader.SizeOfHeaders);
+    if(inst->headers == 1)
+    {
+      DPRINT("Wiping Headers from memory");
+      Memset(cs,   0, nt->OptionalHeader.SizeOfHeaders);
+      Memset(base, 0, nt->OptionalHeader.SizeOfHeaders);
+    }
 
     DPRINT("Ummapping temporary local view of section to persist changes.");
     status = inst->api.NtUnmapViewOfSection(inst->api.GetCurrentProcess(), cs);