donut icon indicating copy to clipboard operation
donut copied to clipboard

Published 20 hours ago verified publisher icon TheWover

Handle machine mismatch with IL_ONLY assemblies

Open jackullrich opened this issue 1 year ago • 2 comments

Hello, thanks for creating donut.

I was running some x64 donut shellcode from the context of an IL Only (AnyCpu) PE32 .NET assembly on a 64-bit machine. The shellcode would not complete execution.

Digging a bit deeper, I discovered it was returning prematurely from here: https://github.com/TheWover/donut/blob/master/loader/inmem_pe.c#L107

IL Only images are PE32 on disk but may be transformed to PE32+ in memory by _CorValidateImage.

I have added a small fix to handle this case.

Thanks!

jackullrich avatar Apr 26 '23 21:04 jackullrich

good find

roachadam avatar May 05 '23 18:05 roachadam

this just saved my life, it needs to be merged! 👍

kiwids0220 avatar Jan 11 '24 17:01 kiwids0220