Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

detect donut loader #994

Open
1 task done
Still34 opened this issue Feb 5, 2025 · 0 comments
Open
1 task done

detect donut loader #994

Still34 opened this issue Feb 5, 2025 · 0 comments
Labels
rule idea

Comments

@Still34
Copy link
Contributor

Still34 commented Feb 5, 2025

Prerequisites

  • Put an X between the brackets on this line if you have done all of the following:
    • Checked that your rule idea isn't already filed: search

Summary

Add detection rule(s) for donut loader. At the moment, capa only detects the presence of RC4 in donut-related shellcode.

Image

Examples

744ba02a89e2fe82b048e79520b6e6ac0e2ad21ed2b39fa06d0a0a22df91a45b

Features

  • maru calculation used for API hash calculation (https://github.com/TheWover/donut/blob/47758d787209dd1744f58c140102ac91b649df16/hash.c#L65)
  • possibly parameters passed to various calls (e.g., HttpSendRequest, VirtualAlloc, RtlDecompressBuffer, etc.)
  • PEB walking (at the moment existing PEB walk rules do not match the ones found in this loader)
  • .NET loading via COM (IIDs/CLSIDs don't appear to be stored as-is in the compiled shellcode, may need to match by COM calls parameters?)
  • ...probably more I haven't had the time to look into that might be good for rules

Additional context

Rule details

Namespace

References

Other rule meta information
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
rule idea
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Still34