thewover/donut

Donut is a tool used in security research and penetration testing that converts Windows programs into a self-contained blob of machine code, called shellcode, which can be injected into a running process and executed entirely in memory without touching the disk. The input can be a .NET assembly (a compiled C# or VB.NET program), a native Windows executable, a DLL, a VBScript file, or a JScript file. The typical use case is an authorized red team engagement where a tester needs to run a tool on a target system without dropping a file that antivirus software might detect. By converting the program into shellcode and loading it directly into memory, there is no file for the operating system to scan before execution. Donut handles the technical work of setting up the correct runtime environment in memory: for .NET programs it loads the .NET runtime into the host process, for scripts it uses the Windows scripting engine, for native executables it uses a custom loader. The generated shellcode can optionally be encrypted with a 128-bit symmetric cipher so the raw bytes are harder to recognize in transit or storage. The tool supports several output formats for the resulting shellcode, including raw binary, Base64, C arrays, Python strings, PowerShell strings, and others, so it can be incorporated into many different delivery mechanisms. Compression of the input file before wrapping is also supported. Donut also includes options that disable certain Windows logging and scanning mechanisms at runtime to reduce the chance of detection during a test. The README discusses these techniques and links to the underlying security research papers. Libraries for both Linux and Windows are provided so developers can call Donut's functionality from their own tools in C, C++, or Python. The project is aimed at security professionals conducting authorized assessments and includes a disclaimer about legal use.