A container for toying with AV bypass using donut and upx.
It accepts one x86_64 PE and returns two:
- The first contains the provided PE in a compressed and encrypted form.
- The second is the first, only run through a packer.
- Generates shellcode from an executable using
donut - Inserts the shellcode into a C++ dropper and updates the length of the byte array accordingly
- Compiles the C++ dropper with
gcc - Packs the resulting executable with
upx
I was experimenting with minimal modifications to get an official mimikatz release past Defender. Then I got tired of manually running the commands and forgetting to update the payload length for VirtualAlloc.
It depends. Observed during testing in late 2021:
- Regular Defender did not detect or block
mimikatzas adonutmodule, but did detect and block even a benignupx-packed PE ("Trojan:Win32/Wacatac.B!ml"). - Defender for Endpoint detected and blocked the use of
donutfor beingdonut("VirTool:Win32/Wovdnut.gen!B"), but it didn't care aboutupxso much as what it found once the PE was unpacked.
Think more "Halloween party" and less "deep cover CIA disguise".
bashor similar (probably)dockermake
Build the container:
make build
Place a PE in /input and dress it up:
cp /path/to/tool.exe /path/to/costume_world/input/
make costume