Skip to content

volexity/donut-decryptor

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
donut_decryptor
donut_decryptor
 
 
samples
samples
 
 
.gitignore
.gitignore
 
 
LICENSE.md
LICENSE.md
 
 
README.md
README.md
 
 
setup.cfg
setup.cfg
 
 
setup.py
setup.py
 
 

Repository files navigation

donut_decryptor

A configuration and module extractor for the donut binary obfuscator

Description

donut-decryptor checks file(s) for known signatures of the donut obfuscator's loader shellcode. If located, it will parse the shellcode to locate, decrypt, and extract the DONUT_INSTANCE structure embedded in the binary, and report pertinent configuration data. If a DONUT_MODULE is present in the binary it is decrypted and dumped to disk.

Requirements

donut-decryptor currently requires the separate installation of the chaskey-lts module.

Installation

You can install donut-decryptor for usage by navigating to the root directory of the project and using pip:

cd /path/to/donut-decryptor
python -m pip install .

Following installation, a command-line script is available. For usage instructions use:

donut-decryptor --help

Examples

The files present in the samples directory are 7z files password protected using the password `infected``, all of which contain donuts which can be decoded using this script.

TODO list

  • Update detection rules and instance parsing for alternative output formats:
    • Hex
    • C-String/Ruby
    • Python
    • C#
    • Powershell
  • Consider moving loader/instance mapping to a YAML configuration file.

About

Retrieve inner payloads from Donut samples

Resources

Readme

License

BSD-3-Clause license
Activity
Custom properties

Stars

81 stars

Watchers

8 watching

Forks

5 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages